It makes a request to which normally requires some kind of authentication or API key. The second sub, qrNjY, also tries to detect if it’s in a VM by getting information about the IP address. If malware can be smart enough to know when it’s being tested in a VM, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected by such tools. These VM images may then be used in automated analysis and testing tools which execute malware and see how they behave.
#Malware codejock software#
When the VM is initially created, software is installed, maybe opened once or twice to make sure it works, and then the state is saved and every time a test needs to be made, that state is loaded again. However, on a testing virtual machine (VM), the software is normally not “broken in”. Most users, unless they just installed Word, are going to have opened more than two documents. The RecentFiles object gives access to the history of recent documents. The IuIxpP sub calls two methods, DKTxHE and qrNjY and raises an error if either one returns true. All it does is call IuIxpP and swallow any and all errors that are raised. This looked like the execute entry point and was probably executed as soon as the “Enable Content” button was clicked and every time ActiveX control was rendered (i.e.
#Malware codejock code#
I first looked at the code and noticed this subroutine near the top: InkPicture1_Painted(ByVal DQkDFU As Long, ByVal KPhPosT As IInkRectangle). It has no real content, includes executable code (active content), and the code is obfuscated and sketchy looking. If that didn’t look suspicious enough, here’s a view of the code: Here’s how the document looks when opened in Word: Additional related samples can be found by searching VirusTotal for "vbaproject.bin" "activeX1.bin" type:docx. In this post, I’ll discuss some clever anti vm tricks observed in a malicious Word document. Any number of things can go wrong which can lead to the malware simply crashing or not doing anything at all. Unlike normal people, I spend a lot of time trying to run malware and it can be surprisingly difficult to get it to behave like it should. Recently, I was tasked with investigating a malware sample which sometimes failed to behave maliciously.