Win.Trojan.Candyman-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 a9381d250debe791…

MALICIOUS

Office (OLE)

36.5 KB Created: 2027-12-31 00:00:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 978483a33375b2b7afd536514377e7dd SHA-1: aaed3ad938eaf8625e174502fe67c066d500f900 SHA-256: a9381d250debe791ac3da52af6b1590d7ea1517d6a08fe53a77ed757dea896dc
80 Risk Score

Malware Insights

Win.Trojan.Candyman-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as Win.Trojan.Candyman-3 by ClamAV. It contains legacy WordBasic macros, specifically triggering on AutoClose and AutoOpen events. These macros likely execute malicious commands, as indicated by the presence of file paths like 'c:\sysclose.bat' and 'C:\sysboot.scr', and a suspicious domain 'N dya.com'.

Heuristics 2

  • ClamAV: Win.Trojan.Candyman-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Candyman-3
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.