Office (OLE) / .SEN malware analysis — malicious · fa84c46931434a1a

MALICIOUS

Office (OLE) / .SEN

136.3 KB Created: 2005-06-29 18:14:00 Authoring application: Microsoft Word 10.0

MD5: e70f7ea60fe3d3dd1a79ebfed54b8b8e SHA-1: aa858def16dad9256eaafcd854e1744881dcb003 SHA-256: fa84c46931434a1a1f57bf3350810d353dcbc2f7376199be911975d172ac9f91

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1055 Process Injection

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded content. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the loading and execution of dynamic code. The document body is heavily corrupted, but the presence of these API calls strongly implies an attempt to exploit a vulnerability and download a secondary payload. The SHA256 hash is included as a primary IOC.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 139,554 bytes but its declared streams total only 20,632 bytes — 118,922 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.