Malicious Office (OLE) / .SEN — malware analysis report

Static analysis result for SHA-256 581f3fa508bc43f7…

MALICIOUS

Office (OLE) / .SEN

54.0 KB Created: 2006-08-28 13:40:00 Authoring application: Microsoft Word 9.0
MD5: 8e6419f3db124a98fd1c9cbc8166b2d7 SHA-1: fbe59e0683de0fec7d631b892762308075a1ee79 SHA-256: 581f3fa508bc43f718ad3c446f178e13b3c5b87b8d1a8aace1c2c456cab84b35
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The sample is a Microsoft Word document exhibiting an OLE slack anomaly and contains XOR-encoded strings, indicating obfuscation. The presence of these indicators suggests an attempt to exploit a vulnerability within the document itself, likely leading to arbitrary code execution upon opening. No specific malware family could be identified, and no scripts were extracted for further analysis.

Heuristics 2

  • XOR-encoded strings (key 0x92) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 55,296 bytes but its declared streams total only 23,704 bytes — 31,592 bytes (57%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.