Malware writers are looking for the absence of documents to figure out which PCs are potential victims and which are virtual machines being used by white hats.

SentinelOne senior researcher Caleb Fenton found the novel technique while attempting to coax the malware into activating so it could be analysed.

The worm he was working on refused to budge, however, as Fenton's virtual machine showed no evidence of having opened any Word documents.

"Most users, unless they just installed Word, are going to have opened more than two documents," Fenton says.

"However, on a testing virtual machine, the software is normally not 'broken in'.

"If malware can be smart enough to know when it's being tested in a virtual machine, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected."

The malware borrows from other variants and cross-references the public IP address of the targeted PC to see if it matches a security vendor or sandbox technology, clamming up if it lands a hit.

Researchers will restore their virtual machines to an earlier fresh state whenever new malware is analysed. This makes it highly likely that word processors will have no history of opening documents should malware check.

A macro will activate on those machines with a document history and download a payload to exploit victim machines. ®