With payload delivery mechanisms shifting we though it would be nice to have a Pafish-like tool for Office documents. Office documents today are one of the most prominent container to deliver malicious software. As exploits are getting harder to develop attackers are using VBA embedded in Office documents to download and install payloads. VBA is well suited for sandbox detection and we already have seen many evasions in recent samples:
- Will it blend? This is the Question, new Macro based Evasions spotted
- Rise of VBS Scripts evading Sandboxes
- Summary of recent Anti-Sandbox Tricks
- List of evasive samples
We therefore have put all known VBA / Macro based sandbox checks and evasions into a single Microsoft Office Word document and released this "Pafish Macro" on Github today:
You can download the "Pafish Macro" document here as well.
We will update the VBA code with new evasions as frequently as possible and are looking forward to contributions!