Malicious Office (OLE) / .SEN — malware analysis report

Static analysis result for SHA-256 01fdf12a1f498d67…

MALICIOUS

Office (OLE) / .SEN

200.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: d388e5be4f4610519213c0c4788bf73d SHA-1: 42c45b006cb40ce55f3aa416e70339ab8b420a5e SHA-256: 01fdf12a1f498d67ca771cd497efe359d39d2e3d2da330c35c67f792965308ab
340 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OLE document with significant anomalies, including a large slack space and an appended executable payload. Heuristics indicate the presence of NOP sleds, PEB access for API resolution, and XOR-encoded strings, all pointing to shellcode execution. The document body contains embedded Excel and PowerPoint objects, suggesting a lure to entice the user to open the malicious content.

Heuristics 8

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess', 'CreateFileA', 'OpenProcess', 'ShellExecuteA', 'ShellExecuteA'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 205,045 bytes but its declared streams total only 61,092 bytes — 143,953 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.

Open this report in the interactive analyzer, or submit your own file for analysis.