Sandbox Evasion

(Stolen from PaFish macro: https://github.com/joesecurity/pafishmacro/blob/master/code.vba)

Check apps for any analysis tools using WMI.

Public Sub checkApps()

    printMsg "[*] WordBasic.AppGetNames ..."
    
    d = False
    tns = Array("vmware", "vmtools", "vbox", "process explorer", "processhacker", "procmon", "visual basic", "fiddler", "wireshark")
    Set ws = GetObject("winmgmts:\\.\root\cimv2")
    
    Dim names() As String
    ReDim names(WordBasic.AppCount())
    
    WordBasic.AppGetNames names
    
    For Each n In names
        For Each tn In tns
            If InStr(LCase(n), tn) > 0 Then
                d = True
            End If
        Next
    Next

    If d Then
    
        printMsg "DETECTED"
        
    Else
    
        printMsg "OK"
    End If
    
End Sub

Check how many processes are present

Public Sub checkAppCount()

    printMsg "[*] Checking WordBasic.AppCount() ..."

    If WordBasic.AppCount() < 50 Then
    
        printMsg "DETECTED"
        
    Else
    
        printMsg "OK"
    End If
    
End Sub

Check if the file name has been changed

Public Sub checkPreciseFileName()

    printMsg "[*] Checking Precise Filename ..."
    
    badName = False

  
    If ActiveDocument.Name <> "Pafish.docm" Then
            badName = True
    End If
 
    If badName Then
        
        printMsg "DETECTED"
    Else
        
        printMsg "OK"
    End If
    
End Sub

Check if the file name hash has been changed

Public Sub checkFilenameHash()

    printMsg "[*] Checking Filename Hashname ..."
    
    hexchars = "0123456789abcdef"
    
    c = 0
    
    For i = 1 To Len(ThisDocument.Name)
        s = Mid(LCase(ThisDocument.Name), i, 1)
        
        If InStr(s, hexchars) > 0 Then
            c = c + 1
        End If
        
    Next
    
    If c >= (Len(ThisDocument.Name) - 5) Then
        printMsg "DETECTED"
        
    Else
    
    
        printMsg "OK"
    End If
    
End Sub

Check if the file name has been changed to anything bad

Public Sub checkFilenameBad()

    printMsg "[*] Checking Bad Filename ..."
    
    badName = False
    badNames = Array("malware", "myapp", "sample", ".bin", "mlwr_", "Desktop")

    
    For Each n In badNames
        If InStr(LCase(ActiveDocument.FullName), n) > 0 Then
            badName = True
        End If
    Next
 

    If badName Then
        
        printMsg "DETECTED"
    Else
        
        printMsg "OK"
    End If
    
End Sub

Check if any analysis tasks are present

Public Sub checkTasks()

    printMsg "[*] Checking Application.Tasks.Name ..."

    badTask = False
    badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "visual basic", "fiddler")
    
    For Each Task In Application.Tasks
    
        For Each badTaskName In badTaskNames
            If InStr(LCase(Task.Name), badTaskName) > 0 Then
                badTask = True
            End If
        Next
        
    Next

    If badTask Then
        
        printMsg "DETECTED"
    Else
        
        printMsg "OK"
    End If
    
End Su

Check the number of cores, if the number of cores is less than 3, return false.

Public Sub checkCores()

    printMsg "[*] Checking Win32_Processor.NumberOfCores ..."

    badCores = 0

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
    
    For Each objItem In colItems
    
            If objItem.NumberOfCores < 3 Then
                badCores = True
            End If
        
    Next

    If badCores Then
        
        printMsg "DETECTED"
    Else
        
        printMsg "OK"
    End If
    
End Sub

Check the BIOS for any common virtual machine names:

Public Sub checkBios()

    printMsg "[*] Checking Win32_Bios.SMBIOSBIOSVersion & SerialNumber ..."

    badBios = False
    badBiosNames = Array("virtualbox", "vmware", "kvm")
    
    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_Bios", , 48)
    
    For Each objItem In colItems
    
        For Each badName In badBiosNames
            If InStr(LCase(objItem.SMBIOSBIOSVersion), badName) > 0 Then
                badBios = True
            End If
            If InStr(LCase(objItem.SerialNumber), badName) > 0 Then
                badBios = True
            End If
        Next
        
    Next

    If badBios Then
        
        printMsg "DETECTED"
    Else
        
        printMsg "OK"
    End If
    
End Sub

Check the username

Public Sub checkUsername()

    printMsg "[*] Checking Win32_ComputerSystem.Username ..."

    badUsername = False
    badUsernames = Array("admin", "malfind", "sandbox", "test")
    
    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
    
    For Each objItem In colItems
    
        For Each badName In badUsernames
            If InStr(LCase(objItem.UserName), badName) > 0 Then
                badUsername = True
            End If
        Next
        
    Next

    If badUsername Then
        
        printMsg "DETECTED"
    Else
        
        printMsg "OK"
    End If
    
End Sub

Check the number of recent documents open

Public Sub checkRecentDocs()

    printMsg "[*] Checking Application.RecentFiles.Count ..."

    If Application.RecentFiles.Count < 3 Then
    
        printMsg "DETECTED"
        
    Else
    
        printMsg "OK"
    End If
    
End Sub

PreviousRevert To Legacy Warning in ExcelNextInfo Extraction

Last updated