We always have been fans of the famous Pafish
tool by Alberto Ortega
. Pafish is a tool to check recent anti-malware analysis tricks and evasions against your favorite sandbox. Moreover it enables to fully study the evasive code. We know that Pafish helped and still helps to improve sandboxes.
With payload delivery mechanisms shifting we though it would be nice to have a Pafish-like tool for Office documents. Office documents today are one of the most prominent container to deliver malicious software. As exploits are getting harder to develop attackers are using VBA embedded in Office documents to download and install payloads. VBA is well suited for sandbox detection and we already have seen many evasions in recent samples:
We therefore have put all known VBA / Macro based sandbox checks and evasions into a single Microsoft Office Word document and released this "Pafish Macro" on Github
You can download the "Pafish Macro" document here
We will update the VBA code with new evasions as frequently as possible and are looking forward to contributions!