Discover and read the best of Twitter Threads about #macrome

Most recents (1)

Profile picture
Michael Weber
@BouncyHat
Want to make those #xlm macros particularly resistant to AV? Get yourself a copy of Office 2003 and use the XOR Obfuscation method of encryption to protect your document with default password (VelvetSweatshop). Suddenly your #maldoc is invisible. Example: virustotal.com/gui/file/c3466… Image
The example I posted is otherwise identical to this document I generated with #macrome - virustotal.com/gui/file/e23f9…. Goes from 11 detections to 0.

AV knows about the VelvetSweatshop trick, but they don't know how to decrypt the XOR Obfuscation method.
The MS-OFFCRYPTO specification is actually full of goodies if you give it a read. XOR Obfuscation is described at docs.microsoft.com/en-us/openspec…. It's a legacy format stemming from the crypto-is-a-munition days. It's trivial to bypass, but unsupported by most document forensic tools.
Read 6 tweets

Related hashtags

#maldoc #macrome #xlm

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!