Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Maldoc VBA Sandbox/Virtualization Detection InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Maldoc VBA Sandbox/Virtualization Detection

Published: 2015-03-14
Last Updated: 2015-03-14 12:04:53 UTC
by Didier Stevens (Version: 1)
8 comment(s)

As could be expected, we witness an arms race when observing the evolution of VBA malicious documents. First the VBA code was trivially simple (download and execute), then obfuscation was added (strings and code), and now we see more attempts to evade detection.

I analyzed a maldoc sample (.xls 77f3949c2130b268bb18061bcb483d16) that tries to detect sandboxes and virtualization (and aborts if found).

Here's part of the code:

If IsSandBoxiePresent(1) = True Then End

If IsAnubisPresent(1) = True Then End

If IsVirtualPCPresent = True Then End

Keywords: maldoc malware vba
8 comment(s)
Diary Archives