Malicious Office (OLE) / .SEN — malware analysis report

Static analysis result for SHA-256 59bb6ac165d6a246…

MALICIOUS

Office (OLE) / .SEN

103.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: acf3ea2c019703659de96ea3da978ad7 SHA-1: a7ac810d26ee6944e973fb889d9e16af283bc5be SHA-256: 59bb6ac165d6a246182eec44320d92c140711ac2eb0303760f2a79a975a59096
140 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file is an OLE document with significant slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate XOR-encoded strings and PEB access, common in malware. The document body contains references to embedded Excel and PowerPoint objects, further supporting the idea of a malicious container. No specific family could be identified.

Heuristics 3

  • XOR-encoded strings (key 0xEE) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xEE: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 105,897 bytes but its declared streams total only 61,092 bytes — 44,805 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.