Malicious Office (OLE) / .SEN — malware analysis report

Static analysis result for SHA-256 8a5eb50865ba8202…

MALICIOUS

Office (OLE) / .SEN

115.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: f77289972a8bf1ace77cab592e924224 SHA-1: a44c4c038e18e77a3f38353e1ac0f3c0613b03d6 SHA-256: 8a5eb50865ba8202593f60bb5c3bf1f5e620968f874f998973e6c652fa2d2b69
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is an OLE document with significant slack space and embedded OLE objects, indicating it may be a container for malicious content. Heuristics indicate PEB access and XOR-encoded strings, common in malware. No document body or script content was available for further analysis, limiting the ability to determine the specific attack pattern or family.

Heuristics 3

  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 118,248 bytes but its declared streams total only 61,092 bytes — 57,156 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.