Today I got an interesting maldoc sample (77f3949c2130b268bb18061bcb483d16): it will not activate if it runs in a sandboxed or virtualized environment.
The following statements are executed right before the malicious actions begin:
If IsSandBoxiePresent(1) = True Then End
If IsAnubisPresent(1) = True Then End
If IsVirtualPCPresent = True Then End
The presence of SandBoxie can be detected by the successful load of DLL Sbiedll.dll or the presence of string [#] in the Windows’ title. In this sample, the DLL is checked (1).
The presence of Anubis can be detected by checking the serial number of the system drive, checking Windows’ Product ID, checking the name of the application or the user. In this sample, the serial number is checked (1).
The presence of virtualization is detected by enumerating the services\disk and looking for strings “virual”, “vmware” or “vbox”.
With the help of Google, I discovered that the criminals copy/pasted 7 year old code posted on a forum here, here and here. It’s in Spanish, while the Excel document has code page 1251 ANSI Cyrillic.
Didier Stevens 