Win.Trojan.Pivis-2 — Office (OLE) / .EXE malware analysis

Static analysis result for SHA-256 6602e2a5e5351d91…

MALICIOUS

Office (OLE) / .EXE

52.5 KB Created: 1998-07-16 03:41:00 Authoring application: Microsoft Word 8.0
MD5: f99d21cd98489efff3dd612db3fd1ad1 SHA-1: 4dcdcc0fae816623ca0558820fe7843f3ebb2510 SHA-256: 6602e2a5e5351d917bd83ba0f228e91c3f574af7c2ea5df53328324418b6b2b5
120 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is identified as malicious by ClamAV with the signature Win.Trojan.Pivis-2. Static analysis reveals the presence of VBA macros, specifically an Auto_Close macro, which is a common technique for executing malicious code upon document closure. The macro attempts to export itself to 'c:\TiebugXISR.sys', indicating a potential payload delivery or execution mechanism.

Heuristics 3

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b457d53311d60a05554c979d3486e5ea1de31928ba72fdf498c7566ee8145778		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 46971 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.