Security Consultant. Not affiliated with Red Hat. I just like the hat. @bouncyhat@infosec.exchange
Sep 23, 2020 • 6 tweets • 3 min read
Want to make those #xlm macros particularly resistant to AV? Get yourself a copy of Office 2003 and use the XOR Obfuscation method of encryption to protect your document with default password (VelvetSweatshop). Suddenly your #maldoc is invisible. Example: virustotal.com/gui/file/c3466…
The example I posted is otherwise identical to this document I generated with #macrome - virustotal.com/gui/file/e23f9…. Goes from 11 detections to 0.
AV knows about the VelvetSweatshop trick, but they don't know how to decrypt the XOR Obfuscation method.