Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this[1], but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism?
Article Link: InfoSec Handlers Diary Blog - SANS Internet Storm Center