Today I got an interesting maldoc sample (77f3949c2130b268bb18061bcb483d16): it will not activate if it runs in a sandboxed or virtualized environment.
The following statements are executed right before the malicious actions begin:
If IsSandBoxiePresent(1) = True Then End If IsAnubisPresent(1) = True Then End If IsVirtualPCPresent = True Then End
The presence of SandBoxie can be detected by the successful load of DLL Sbiedll.dll or the presence of string [#] in the Windows’ title. In this sample, the DLL is checked (1).
The presence of Anubis can be detected by checking the serial number of the system drive, checking Windows’ Product ID, checking the name of the application or the user. In this sample, the serial number is checked (1).
The presence of virtualization is detected by enumerating the services\disk and looking for strings “virual”, “vmware” or “vbox”.