Office (OLE) / .SEN malware analysis — malicious · ca0c2db30393c908

MALICIOUS

Office (OLE) / .SEN

111.6 KB Created: 2006-04-29 01:29:00 Authoring application: Microsoft Office Word

MD5: 366a79bc1f61f7e1981d3b07066aa0b5 SHA-1: c909e38197c31539e88c841e6163c8d9008fbc99 SHA-256: ca0c2db30393c90821924888ec6b6a64c15b31ede4481992d54176dff1db880e

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file exhibits characteristics of a malicious OLE document, including a significant amount of slack space and the presence of NOP sleds. Heuristics indicate the use of Windows API functions such as CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, which are commonly employed by malware to load and execute payloads. The exact nature of the payload is not discernible from the provided evidence, leading to an unknown family classification and moderate confidence.

Heuristics 6

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 114,274 bytes but its declared streams total only 26,783 bytes — 87,491 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.