Doc.Trojan.CrazyMan-1 Office (OLE) / .DOC malware analysis — malicious · 2e31a31dd9c95c7d

MALICIOUS

Office (OLE) / .DOC

33.5 KB Created: 2005-01-19 21:41:00 Authoring application: Microsoft Word 8.0

MD5: 3ab9187a5c16acf7fede723ff6cb8021 SHA-1: 20de7bb8358bc8d91331e14e136425f7e9b76149 SHA-256: 2e31a31dd9c95c7ddaa5441fc98658fce8a47dd183fb923dc851be6c8ee37ad4

160 Risk Score

Malware Insights

Doc.Trojan.CrazyMan-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing VBA macros, specifically triggering AutoOpen and Auto_Close events. The ClamAV detection identifies it as Doc.Trojan.CrazyMan-1. The presence of AutoOpen and Auto_Close macros indicates an attempt to automatically execute malicious code when the document is opened or closed, a common technique for delivering secondary payloads.

Heuristics 4

ClamAV: Doc.Trojan.CrazyMan-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.CrazyMan-1
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `141ceb3e4f927e65d0c4aba987df4a6902e3ea721aad4d45f5b757ef24dc3a3a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3113 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.