One year ago we found that using the Word 2003 XML format could by very usefull for pentesters/redteamers/attackers as a standard VBA meterpreter payload was scoring 1⁄57 on VT (instead of 20⁄57 using the Office OpenXML format). AV vendors made their homeworks, VT score is now 14⁄54 Anyway another very simple trick can help a lot: by embedding the exact same file (xmhell.xml) in a new word document and saving it as a Word 2003 XML again you’ve got a 0/54 on VT !
Update (2015-07-07) 6 months after submitting our first Word 2003 XML payload on VT, the file now scores 9/53… Still not enough. If you are a pentester and your target doesn’t run one of these 9 AV you’re in ! Update (2015-04-27) 3 months after submitting our first Word 2003 XML payload on VT, the file now scores 9/56. Which means Symantec, McAfee, Sophos and a few others considered this threat seriously.