Microsoft Word

Word 2003 XML: another trick to bypass anti-virus

One year ago we found that using the Word 2003 XML format could by very usefull for pentesters/redteamers/attackers as a standard VBA meterpreter payload was scoring 1⁄57 on VT (instead of 20⁄57 using the Office OpenXML format). AV vendors made their homeworks, VT score is now 14⁄54 Anyway another very simple trick can help a lot: by embedding the exact same file (xmhell.xml) in a new word document and saving it as a Word 2003 XML again you’ve got a 0/54 on VT !

Continue reading