Office (OLE) / .SEN malware analysis — malicious · 7f2ddc03b90d9f34

MALICIOUS

Office (OLE) / .SEN

79.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: fbff3385da4ba4ba1df43056bf3a0daa SHA-1: 02a3fed0080a92cb86363b30ab4282a669a7fc03 SHA-256: 7f2ddc03b90d9f342a132bcfd52c61c2c91cb2b6f7572e9246e85d668b98f5e1

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is identified as malicious with several high-severity heuristic firings, including a NOP sled and XOR-encoded strings with a key of 0xFF. The OLE document also shows a significant slack space anomaly. While no specific document body content or scripts were provided for direct analysis of user-facing lures, the presence of embedded URLs and the nature of the heuristics suggest a malicious document designed to execute further stages, possibly involving encoded payloads.

Heuristics 3

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'CreateProcessA', 'CreateProcessA', 'ExitProcess'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 81,412 bytes but its declared streams total only 25,474 bytes — 55,938 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.