Malicious Office (OLE) / .SEN — malware analysis report

Static analysis result for SHA-256 1424ee83a42e2a50…

MALICIOUS

Office (OLE) / .SEN

78.5 KB Created: 2004-04-05 00:54:00 Authoring application: Microsoft Word 10.0
MD5: c33a06481aa76c3daa47c194701c82c4 SHA-1: 3168d0d21349c64e20c5c7fbd1bedbbf091fa7d4 SHA-256: 1424ee83a42e2a50e6d22112a6de99ac63e1c86bcaa534a548f44530c603ea5d
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is identified as malicious by ClamAV and contains an embedded PE executable. The VBA macro, while not containing explicit download or execution commands, references APIs like CreateProcess, LoadLibrary, and GetProcAddress, strongly suggesting it is designed to load and run the embedded executable. The presence of these indicators points to a macro-based downloader that leverages an embedded payload.

Heuristics 8

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Doc.Trojan.1Table-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.1Table-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2a758fcc03dd3cd254ef2047dfa75b30c478ff6a2f15e171b66b4521c04fa715		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 559 bytes
embedded_office_00010200.exe
2c470aedbdc7329545e42da772f04ee97f981db9f451f0f2d8d19233b76add6d		 embedded-pe Office MZ+PE at offset 0x10200 14336 bytes
Detection
ClamAV: Win.Spyware.25289-1
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.