Pafish for Office Macro

    We always have been fans of the famous Pafish tool by Alberto Ortega. Pafish is a tool to check recent anti-malware analysis tricks and evasions against your favorite sandbox. Moreover it enables to fully study the evasive code. We know that Pafish helped and still helps to improve sandboxes.

    With payload delivery mechanisms shifting we though it would be nice to have a Pafish-like tool for Office documents. Office documents today are one of the most prominent container to deliver malicious software. As exploits are getting harder to develop attackers are using VBA embedded in Office documents to download and install payloads. VBA is well suited for sandbox detection and we already have seen many evasions in recent samples:

    We therefore have put all known VBA / Macro based sandbox checks and evasions into a single Microsoft Office Word document and released this "Pafish Macro" on Github today:

    You can download the "Pafish Macro" document here as well.

    We will update the VBA code with new evasions as frequently as possible and are looking forward to contributions!


    New Release: Joe Sandbox 16 out!

    We are proud to release Joe Sandbox 16 today. The release includes Joe Sandbox Mobile 5.0.0 and Joe Sandbox X 2.2.0.

    Since our last release in June we have been working on many different field to make Joe Sandbox stronger. Here you find a list of the most important features :

    • More than 52 new behavior signatures. Behavior signatures classify and rate the behavior being captured during execution. This increases our signature database to a total of 1144 signatures. Many of the signatures reveal evasive behavior, e.g. like the Locky evasions:

    • Support for Windows 10 x64. You can now execute malware on the latest Windows 10 x64 operation system. This increases the support of Windows operating system to: XP, W7, W7x64, W8, W10, W10 x64, both as virtual machines (VMs) as well as physical machines. Furthermore Joe Sandbox X now supports analysis on El Capitan (10.11)


    • Support for bare metal analysis on Android. Joe Sandbox 16 enables to execute and analyze APKs on real Android phones. In contrast to emulators or VMs Android phones features all sensors and hardware devices. Therefore many APKs show their full behavior on a real phone only.

    • Many new anti-evasions. We have improved the stealth of the VMs as well as the simulations on bare metal analysis machines. Checkout our previous blog post to learn more about some of the latest versions:

    • Support for many new file extensions. Joe Sandbox 16 newly supports: PUB, VSD, MPP, JTD, HWP, ACE, LZH and GZ files

    • WEB Interface improvements: Full WEB API Python implementation, tagging, brand new analysis download design, new executive report, SHA1 and SHA256 search:

    • New Cookbook commands: _JBActivateOfficeActiveX, automatically clicks on ActiveX elements inside Word or Excel documents:

    In addition we have added the following small features:

    • Multi DEX static analysis for Mobile
    • Fast update
    • New cookbook: accelerate system clock
    • Wscript sleep override
    • New detection status unknown
    • IDA Pro Bridge Plugin for Linux
    While Joe Sandbox 16 was small major release, we are planning for Joe Sandbox 17 (planned release in the end of October) big major release with many new analysis features!!! Stay tuned.

    Will it blend? This is the Question, new Macro based Evasions spotted

    Do you remember the "Will it blend?" YouTube series, where a guy tries to blend anything possible with his magic blender?  If not here is a nice example:

    Today I often feel like being asked "Will it execute" or "Why doesn't it execute" or "This should execute". As many other vendors of malware analysis systems we see an increase of sophisticated evasions to prevent dynamic analysis.

    This is especially true for Macro malware. Malware embedded in Office documents today is not only used to infect home users but also corporate machines. VBA obfuscation techniques  used in both scenarios are usually very similar: string encryption, variable/function names randomization and code redundancy. Since VBA is a full-fledged programming language, it is possible to do practically anything from inside Word, Excel or any other VBA-enabled MS Office application (like recent Locky variants distributed through MS Publisher files). Today I would like to briefly present two interesting samples that recently came through our lab.

    Powershell, InkPicture_Painted & Zone.Identifier

    The first sample is a DOCX and basically just a simple trojan downloader with a very small footprint. After deobfuscation there are only few lines left but some of them are quite interesting. The first evasion abuses the :Zone.Identifier alternate data stream (ADS) to verify if the file was indeed downloaded from the internet (or received by e-mail):

    The :Zone.Identifier check is used to bypass sandboxes that do not propagate the ADS to the submitted files. ADS is a feature of the Windows NTFS file system and most sandboxes are based on Linux with an EXT file system. EXT does not support ADS and therefore any alternate data stream is simply omitted if samples are copied.

    The second evasion is probably used to bypass some tools that rely on the fact that the payload is usually executed from the AutoOpen() or Document_Open() function. In contrast, this sample starts its execution inside the InkPicture.Painted event:

    It is interesting that InkPicutre.Painted also works on Powerpoint where no AutoOpen() or Document_Open() function exists. Likely we are going to see more Powerpoint based macro malware in the near future.

    Apart from that, the sample also checks for the number of recently opened files (Application.RecentFiles.Count < 3), an evasion technique which was already seen a few times in the last months. The main payload is downloaded by a PowerShell snippet executed through the WScript.Shell.Run command:

    The full Joe Sandbox 16 report from the above sample is available below (click the graph to open):


    PartOfDomain, No-Admin and Steganography

    Another sample we received (thank you for sharing to John Lambert) is a bit more complicated and targets corporate users. There are at least 2 indicators to back-up this statement. Both are visible in the snippet below:

    The result returned from mekzvij() function is used to determine if the VBA macro should further proceed with the infection process (if greater than 2, stop execution). It is clearly visible that the PartOfDomain field from Win32_ComputerSystem WMI class has a really big weight (100). Not being part of a domain effectively prevents this sample from running. The second indicator is more trivial, the UserName field shall not contain the "admin" substring, this is not necessarily a "corporate environment" indicator but may be just a detection of some specific sandboxes (another lookup for "malfind" suggests the latter). mekzvij() function contains some more WMI-based evasions that are often used by many different malware families:

    If all checks are passed, the script drops a DLL into "%APPDATA%\Adobe\AIR\azgyrfhy.dat" and runs it during DocumentBeforeClose event:

    The DLL is just a second stage downloader and has a hardcoded URL pointing to a PNG image:

    After successful download (it's never stored to the disk), the DLL de-crypts a second DLL that is hidden inside the PNG chunks (which is the most simple variant of PNG steganography) by using a modified TEA cipher. It's decrypted and manually mapped into the process address space, later it communicates with another host which seems to be dead by now as we received only "504 Gateway Time-out". More details about this particular threat can be found in the Joe Sandbox 16 Report (click the graph to open):


    Final words

    While the :Zone.Identifier evasion is easy to bypass for sandbox vendors, the PartOfDomain evasion is not. Especially in the last weeks we have seen the use of more complex evasions. Of course the more targeted a piece of malware is, the more likely a complex evasion is being used.

    What really helps the most to fight evasions are two things: first, Deep Malware Analysis which enables you to spot the evasion and second, an open platform to quickly act to prevent the evasions. For many years we at Joe Security strive to improve these two main features of dynamic malware analysis systems.

    Will it blend? This is the question. As for Joe Sandbox we can say yes, the malware executes and shows its real behavior!

    Update 1:

    The second mentioned sample is actually part of the Dukes/APT29 targeted attacks.

    Rise of VBS Scripts evading Sandboxes

    We recently experienced new waves of malicious e-mails which use some cool trick to evade Sandboxes. In this blog post we are going to outline shortly our analysis. The e-Mails look like this:



    VirusTotal Score:

    The attachment is actually not a real RTF but rather a DOCX. RTF might be used to evade simple AV or other mail scanners:


    The document includes Macros which are embedded as OLE stream:


    The VBA Macro code is heavily obfuscated. This is done to bypass static analysis:

    Recent malicious macros include many comments with legit words. Again this is done to make static detection more difficult.

    Dynamic Analysis

    The initial Joe Sandbox analysis shows that Winword.exe spawns cmd.exe with a long command line:


    Although the code is obfuscated we can see that it creates a new VBS script on the disc which is then started by the Windows Scripting Host (wscript.exe):




    Once again the VBS file is heavily obfuscated. However we see that it has network related functionality:


    Unfortunately if we check the behavior no network traffic has been captured:

    Timer based Sleep Evasion

    Therefore we dig deeper and deobfuscated the VBS script which revealed the following code:


    It is traditional sleep evasion which waits 540 seconds before it downloads and executed the main payload. What is special is that it uses the timer() function of VBA to control the sleep duration. The payload is actually an image with a PE file appended:

    The payload dropped is the Cerber Ransomware:

    In order to to analyze this threat we have written a new Cookbook (checkout our Cookbook technology):

    The cookbook accelerates the local system time and simulates 30 minutes time shift in 30 seconds. Since the VBA timer is based on the local system time this will bypass this evasion:

    Full Joe Sandbox Analysis Report:


     Joe Sandbox is a very flexible and open framework to do malware analysis. In contrast to others Joe Sandbox offers an adaptive tool which enables Cyber Security Professionals to fight malware no matter what evasion is used. Given the power of cookbook together with the in-depth analysis of Joe Sandbox you can detect evasion and bypass it very quickly. In addition malware can be analyzed on any device include bare metal laptops, PCs and phones.

    Call us for a presentation or in-depth demo!

    Share Article