cd ../../Random Posts

Simple But Effective Anti-Sandbox Trick

1 minute read

code_example

We can modify VBA Macro notification settings from the Registry by creating VBAWarnings DWORD under HKEY_CURRENT_USER\software\policies\microsoft\office\{ms_office_version}\{application}\security.

Possible values for VBAWarnings:

  • Value 1: Enable All Macros
  • Value 2: Disable All macros with notification
  • Value 3: Disable all macros except those digitally signed
  • Value 4: Disable all without notification

When opening a document with a macro, MS Office application (winword.exe, etc) tries to access VBAWarnings value:

All online sandbox services I’ve tested use the feature to enable all macros without any notification (value 1), although normal users usually don’t have the feature enabled.

Any.Run

Hybrid-Analysis

whoami: @_qaz_qaz