Didier Stevens

Wednesday 11 March 2015

VBA Maldoc: We Don’t Want No Stinkin Sandbox/Virtual PC

Filed under: Malware — Didier Stevens @ 20:06

Today I got an interesting maldoc sample (77f3949c2130b268bb18061bcb483d16): it will not activate if it runs in a sandboxed or virtualized environment.

The following statements are executed right before the malicious actions begin:

    If IsSandBoxiePresent(1) = True Then End
    If IsAnubisPresent(1) = True Then End
    If IsVirtualPCPresent = True Then End

The presence of SandBoxie can be detected by the successful load of DLL Sbiedll.dll or the presence of string [#] in the Windows’ title. In this sample, the DLL is checked (1).

The presence of Anubis can be detected by checking the serial number of the system drive, checking Windows’ Product ID, checking the name of the application or the user. In this sample, the serial number is checked (1).

The presence of virtualization is detected by enumerating the services\disk and looking for strings “virual”, “vmware” or “vbox”.

With the help of Google, I discovered that the criminals copy/pasted 7 year old code posted on a forum here, here and here. It’s in Spanish, while the Excel document has code page 1251 ANSI Cyrillic.

Blog at WordPress.com.