Office Malware anti-analysis methods

1. Training 3: Identify Office Malware anti-analysis methods
2.  
3. Office malware sample (for education purpose) with 15 anti-analysis methods created by - Greg Linares @laughing_mantis & Dagmar Knechtel @digbei
4. https://www.virustotal.com/en/file/d49b2f735d5d4334653d705cb0ff837af88a4981253fb68c6d927745d97a1b3f/analysis/1498586723/
5.  
6. Download link for those without VirusTotal Pro account. The .RAR password is: infected666
7. https://drive.google.com/file/d/0B9382tXe9pdKZFZNLUJCVTV2Vm8/view
8.  
9. Analysis of sample by @JohnLaTwC aka. John Lambert, General Manager of Microsoft Threat Intel Centre
10. https://pastebin.com/fmkRDeVM
11. 1. Runs on Document_Close
12. 2. Use of comments to hide from visual inspection: e.g. ' Legacy User Account Support - Feb 2017 - See Help Notes For Documentation
13. 3. Storing function names in document variables. e.g. ThisDocument.Variables.Item("RegisterProduct") == Run
14. 4. Indirect execution. e.g. CallByName to Application.Run to invoke User_Sync
15. 5. Use of conditional execute to not run #If Not Win32 Then #If Mac = 1 Then
16. 6. Check on input file name length. e.g. is it a hash? If Len(Me.Name) > 16 Then
17. 7. Use of Application.OrganizerRename to rename the VBA project to impair debugging (e.g. https://twitter.com/Laughing_Mantis/status/759069904104361984)
18. 8. Check to abort if Microsoft Visual Basic For Applications window is visible
19. 9. Use of AppSendMessage (aka Task.SendWindowMessage) &H10, 1, 0 and &H2, 1, 0 to Save and exit
20. 10. Application.Run calls to FluffyClouds to clear out control variables via ActiveDocument.Variables.Item(i).Delete
21. 11. Detect delays (e.g. due to interactive debugging) and exit: If (T2 - CallTimer) > vbNormal Then
22. 12. Use of Sendkeys to exit VBA. e.g. ActiveDocument.Variables("SalesPipeline").Value == Sendkeys and ActiveDocument.Variables("Synergy").Value == %{F11}
23. 13. Force hiding of VBA in a loop. e.g. Loop Until Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible = False
24. 14. Check if VBA editor is on a large screen (e.g. malware analyst =) ). If Application.WordBasic.AppInfo(7) > 1000 Then ' aka Application.UsableHeight
25. 15. Office version check If CInt(Application.WordBasic.AppInfo(2)) >= (vbDirectory - vbHidden) Then (i.e. > 14)
26. 16. Check date and abort if July or later. If DateTime.Month(Now) > 6 Then
27. 17. Get PROGRAMFILES and abort if less than 30 sub directories (e.g. must be an analysis VM with few apps). via CallByName ActiveDocument.Variables("EmployeeID") == Environ$ and ActiveDocument.Variables("ManagerName").Value == ProgramFiles and ActiveDocument.Variables("GetMgmtName") aka CountDirectories
28.  
29. Related
30. Hephaestus is the tool that generated the sample I shared https://github.com/glinares/Hephaestus
31.  
32. "Next Gen Office Malware v2.0" presentation slides @HushCon
33. https://prezi.com/view/eZ3CSNMxPMOfIWEHwTje/