Malicious Office (OLE) / .SEN — malware analysis report

Static analysis result for SHA-256 7a39088dbc37bf0d…

MALICIOUS

Office (OLE) / .SEN

106.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: c11ea2579c2c343c741665111a36da4e SHA-1: 1a4d01cb921172a413b62744a08851617877b573 SHA-256: 7a39088dbc37bf0ddf62a435eda30ae64d8b00f40e28f505139bdcdfa0b5bb08
140 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file is identified as malicious due to several heuristic firings, including PEB access, XOR-encoded strings, and OLE slack anomalies. The presence of embedded objects like Excel and PowerPoint within the document body, combined with the large slack space, indicates a potential for steganography or payload hiding. No specific family could be identified, and no external IOCs were extracted.

Heuristics 3

  • XOR-encoded strings (key 0x81) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess', 'CreateFileA'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 108,789 bytes but its declared streams total only 61,092 bytes — 47,697 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.