Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/09/malware_tries_t.html
From a news article:
A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found…looks for existing documents on targeted PCs.
If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.