{
	"id": "dff3c23d-21b0-45e6-8f2b-c66b92cd5a78",
	"created_at": "2026-04-06T00:20:07.826854Z",
	"updated_at": "2026-04-10T03:21:50.322643Z",
	"deleted_at": null,
	"sha1_hash": "66bc55cfab7a57c6568b9c5df929612b10edf30b",
	"title": "Grinju Downloader: Anti-analysis (on steroids) | Part 1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 839938,
	"plain_text": "Grinju Downloader: Anti-analysis (on steroids) | Part 1\r\nBy Vishal Thakur\r\nPublished: 2020-10-03 · Archived: 2026-04-05 16:00:57 UTC\r\nThis malware takes anti-analysis and stealth techniques to a new level\r\nMalpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju\r\nI’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that\r\nnote, let’s get into it, this is a long one!\r\nSince this malware employs a very complex structure, I’ve decided to divide the analysis into different sections.\r\nI’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence,\r\npublishing in parts.\r\nTLDR:\r\nThis is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. Th\r\nI've tried to include as much detail as possible but if you think something is not clear or has been\r\nNo Code\r\nWell, that’s not an entirely true title… there is code, just not in the traditional sense when it comes to macro-based\r\nmalware (which is both exciting to see and also a stroke of genius on the authors’ part — credit where its due).\r\nAlso, I wanted to reference in the album title from one of my favourite bands :)\r\nhttps://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8\r\nPage 1 of 7\n\nSo, more to that point, basically, if you were to go into the dev mode and look for the VBS code in there, you\r\nwon’t find much. In fact, you’ll find nothing at all at first.\r\nSo where is all the code…? Glad you asked ;)\r\nAll the code is in the worksheet it self.\r\nSo how does it execute…?\r\nHmm… gather around, grab a coffee.\r\nBack in the day when Excel wasn’t what it is today (think version 4.0), users were able to program stuff using\r\nmacro functions. These functions could be placed in the workbook itself. The way to do that is by creating a\r\n‘macro’ sheet and then simply adding these functions in the cells. Then you can autostart the first one and then\r\nfollow the chain to completion (with enough ‘if’ statements to make sure you control the execution flow). That’s\r\nthe short summary of how you can have an Excel file run malicious code without having any VBA-based objects\r\nin the project.\r\nAnalysing the file\r\nNow that we have a basic understanding of how the malware operates, let’s get into the nitty-gritty.\r\nTo start with, it looks just like any other macro-based malware. There’s that excel file that opens up with a\r\nmessage asking the user to enable macros.\r\nThere are two sheets:\r\n‘Sheet1’ is the main one that the users see when they open the file, with the ‘Enable macros..’ message at the top.\r\nIt also has a lot of data that is used by the macro functions to execute the programs for this malware.\r\nhttps://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8\r\nPage 2 of 7\n\n‘ij3Lv’ is the macro sheet. It has the macro functions that are run in order to execute the malware.\r\nPress enter or click to view image in full size\r\nThe problem\r\nWell, the first problem is that if you enable macros and allow execution of the malware, it will complete the\r\nexecution flow and then simply corrupt the file at which point you won’t be able to analyse the file any longer.\r\nHaving said that, let’s look at the flow of execution here before we move forward.\r\n1. The malware runs the first set of macro functions in succession which writes a new set of macro functions\r\nto the worksheet\r\n2. On successful execution of the second set of macro functions, the malware does two things:\r\n3. It writes a VBS file to the disk\r\n4. It writes a text file to the disk\r\n5. It deletes the text file\r\n6. It corrupts the original excel file\r\n7. End of execution\r\nNow that we have laid out a simple, basic version of the flow of execution of this malware, let’s get into the more\r\ndetail.\r\nAnalysis Part 1\r\nIn this section, we’ll take a look at the start of the execution chain and how it is implemented.\r\nThe starting macro functions are embedded in the macro sheet ‘ij3Lv’.\r\nGet Vishal Thakur’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThey are well hidden, starting at ‘R3887C240’ — which means Row 3887 and Column 40. Even after you zoom\r\nout completely, you’ll need to scroll to the right to get to these cells. Having said that this is not the way to find\r\nthem, you need to grab the reference to the cell from code itself.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8\r\nPage 3 of 7\n\nZoomed out to 10% and then scrolled out to the right; look all the way to the right closely\r\nOnce you get to the functions, you can copy them into a code editor and start analysing them one by one.\r\nPress enter or click to view image in full size\r\nZoomed back at 100%\r\nThis is what they look like in an editor:\r\nPress enter or click to view image in full size\r\nNow let’s get into the details. I’ll pick the most interesting parts, as there are way too many of them to analyse\r\nindividually.\r\nhttps://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8\r\nPage 4 of 7\n\nIn order to analyse it without losing touch with reality, we’ll do that dynamically. We’ll run these individually and\r\nthen capture the output to build a picture that gives an idea as to what is happening during the execution.\r\nLet’s start with this function:\r\nPress enter or click to view image in full size\r\n=IF(AND(APP.MAXIMIZE(),GET.WORKSPACE(19),GET.WORKSPACE(13)\u003e770,GET.WORKSPACE(14)\u003e390,GET.WORKSPACE(31\r\nThese functions are very interesting as they can be used as anti-analysis techniques, not seen or published\r\nbefore.\r\nLet’s have a look how:\r\nAPP.MAXIMISE() — this is a smart way of starting this function. It literally just maximises the current excel\r\nwindow that you’re working on (this malware).\r\nGET.WORKSPACE(19) — If a mouse is present, it returns a value TRUE if not, it returns FALSE. Can be easily\r\nused to check for sandbox presence.\r\nGET.WORKSPACE(13) — usable workspace width, in points. In this case, the malware is checking if it’s\r\ngreater than 770 or not. Again, can be used to check for sandboxes. Window size wouldn’t matter at this point as it\r\nhas already been maximised at the start of this function.\r\nGET.WORKSPACE(14) — usable workspace height, in points. Being used exactly as the function above, just\r\nfor height in this case.\r\nGET.WORKSPACE(31) — If running the macro in single-step mode, it returns TRUE. In this case, the author\r\nhas already set it to FALSE, trying to hinder analysis.\r\nGET.WORKSPACE(42) — If the computer is capable of playing sounds, this function returns TRUE! Anti-sandbox check.\r\nOnce all these options have been checked, the function is stopped (HALT).\r\nLet’s move on to the next one:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8\r\nPage 5 of 7\n\nFrom this point on, the functions move on to extracting values from cells in Sheet1 and using them to construct\r\nvalues for the next set of functions that will be written to the workbook to be executed as the next step. Let’s see\r\nhow that is done.\r\nFunctions use variables that are then assigned values from specific pre-populated cells. Function ‘SET.NAME’ is\r\nused for this purpose.\r\nEg:\r\ngsiGGMo=R3915C240\r\ngzDNqr=R3890C240\r\nPMXOKD=R3979C240\r\nesvmJMDoTkrH=R3910C240\r\nWhen you go looking for these cells, you’ll find they have values in them, derived by using formulas (this is\r\nobfuscation on steroids, as you can’t just ctrl+F for these values as text).\r\nGoing through each call is out of scope for this publication so we’ll just look at the overall flow.\r\nThe entire program at this point runs in a loop, based on an ‘If’ statement. The values are incremented by one each\r\ntime and if the condition returns ‘True’ the values are used to form the next set of instructions.\r\nAnother very interesting method that has been applied here, is using the character codes to build the\r\nLet’s take a look.\r\nPress enter or click to view image in full size\r\nIn the above capture, note ‘CHAR(61.91)’ — this literally means: start building the value for “pdnPdPUK” with\r\nthe character that corresponds to the code of ‘61’. 61 is the code for the Equals character ‘=’. Now look at the\r\noutput below:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8\r\nPage 6 of 7\n\nThis loop ends up building the value all the way to “=CLOSE(FALSE)”, which will be used as one of the\r\nfunctions to close the workbook without saving it (FALSE=don’t save).\r\nOnce ALL the functions have been run successfully, this is the resulting code:\r\nPress enter or click to view image in full size\r\nIn the next part, we’ll dive into the code step-by-step and discover more anti-analysis and stealth-e\r\nGo to Part 2\r\nSource: https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8\r\nhttps://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8"
	],
	"report_names": [
		"grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8"
	],
	"threat_actors": [],
	"ts_created_at": 1775434807,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/66bc55cfab7a57c6568b9c5df929612b10edf30b.pdf",
		"text": "https://archive.orkl.eu/66bc55cfab7a57c6568b9c5df929612b10edf30b.txt",
		"img": "https://archive.orkl.eu/66bc55cfab7a57c6568b9c5df929612b10edf30b.jpg"
	}
}