Office (OLE) / .SEN malware analysis — malicious · 0d2850ce3c10eb2d

MALICIOUS

Office (OLE) / .SEN

94.5 KB Created: 2006-08-28 13:40:00 Authoring application: Microsoft Word 9.0

MD5: a92c4d4ee34cb3f9a650cb29669178b5 SHA-1: 1a7190c42d2abcdc3b8d9e8621295b4b353789c4 SHA-256: 0d2850ce3c10eb2d8ae6927a52ec8134f894c0d1bb80a037b6cac1e9248a1fcb

100 Risk Score

Malware Insights

The sample is an OLE document with significant slack space, indicating potential obfuscation or packed content. The critical heuristic firing for XOR-encoded strings (key 0x92) further supports the presence of hidden or encoded malicious code. While no specific document body content or scripts were clearly extracted, these indicators strongly suggest a malicious document designed to conceal its true purpose, likely involving the execution of further malicious code.

Heuristics 2

XOR-encoded strings (key 0x92) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 96,768 bytes but its declared streams total only 23,704 bytes — 73,064 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.