Dridex seems to be the most prevalent form of Malware targeting businesses, since the turn of the year i've thrown some numbers around about how Dridex is
- Targeting the UK Retail & Finance industry
- Evolved using PowerShell (Platform dependant)
- Uses rudimentary encryption (ROT13) to attempt to avoid analysis
A newer twist to Dridex is the ability to attempt to circumnavigate some commercial virtualisation. Here is a snippet from one of the samples freely available on Malwr.com or via the excellent hybrid-analysis.com
I could see once the sample was detonated it would drop %temp% files and in the temp files are the configuration details for the sample its currently detonating, it is explicitly attempting to detonate on 'tin', for lack of a better phrase. Didier had encountered this sample, and came to the same conclusion as me.
I prefer to inspect the malicious word document via python scripts than to detonate it in a sandbox.
I again refer to the excellent BotConf i attended in December and talk from Paul Jung discussing sandbox detection
When inspecting the malicious documents i highly recommend http://www.decalage.info/ an the olevba.py scripts which can not only dump the macro and read encoded base64 strings, but will prettify the content into tables for 'reporting'.