Explore Joe Security Cloud Basic Accounts Subscribe to our Newsletters Contact Us
top title background image

Joe Security's Blog

Pafish for Office Macro

Published on: 05.10.2016

We always have been fans of the famous Pafish tool by Alberto Ortega. Pafish is a tool to check recent anti-malware analysis tricks and evasions against your favorite sandbox. Moreover it enables to fully study the evasive code. We know that Pafish helped and still helps to improve sandboxes.

With payload delivery mechanisms shifting we though it would be nice to have a Pafish-like tool for Office documents. Office documents today are one of the most prominent container to deliver malicious software. As exploits are getting harder to develop attackers are using VBA embedded in Office documents to download and install payloads. VBA is well suited for sandbox detection and we already have seen many evasions in recent samples:

We therefore have put all known VBA / Macro based sandbox checks and evasions into a single Microsoft Office Word document and released this "Pafish Macro" on Github today:

You can download the "Pafish Macro" document here as well.

We will update the VBA code with new evasions as frequently as possible and are looking forward to contributions!