Malicious Office (OLE) / .SEN — malware analysis report

Static analysis result for SHA-256 9c8f3b682c140784…

MALICIOUS

Office (OLE) / .SEN

152.5 KB Created: 2005-12-08 02:12:00 Authoring application: Microsoft Word 10.0
MD5: a43206dba00ddf6816f8f1ad69dc62c6 SHA-1: 2e32fe56f25e0a68b3090e4f252cf45aeb356bae SHA-256: 9c8f3b682c140784db4d1765b9cb3fff329b12936c78a2c634210689d0b401e5
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample contains an embedded URL that points to a Chinese government domain, suggesting a potential lure for phishing or malware distribution. The XOR-encoded strings and OLE slack anomaly heuristics indicate obfuscation and potentially malicious content. Although VBA macros were detected, they contained no executable statements, and no scripts were extracted, limiting the ability to determine the exact payload delivery mechanism. The document body discusses China's development strategy, which could be used to lend credibility to a malicious link.

Heuristics 4

  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'advapi32.dll', 'wininet.dll', 'KERNEL32.DLL', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 156,160 bytes but its declared streams total only 92,254 bytes — 63,906 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pk2.mofcom.gov.cn/article/chinanews/200602/20060201511502.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a7e5a0de56c8a139e544a9557a6651d472a02fe8f7a377b4f1e01dab645f7feb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 363 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.