Word 2003 XML: another trick to bypass anti-virus

By Davy Douhine | January 21, 2016

One year ago we found that using the Word 2003 XML format could by very usefull for pentesters/redteamers/attackers as a standard VBA meterpreter payload was scoring 157 on VT (instead of 2057 using the Office OpenXML format). AV vendors made their homeworks, VT score is now 1454

Anyway another very simple trick can help a lot: by embedding the exact same file (xmhell.xml) in a new word document and saving it as a Word 2003 XML again you’ve got a 0/54 on VT ! Oh yeah ! Image : vt_babushka

Update (2016-03-31):

2 months after submitting our payload on VT, the file still scores 0/56

It seems that AV don’t like russians dolls, even Kaspersky and yet it contains a straight meterpreter payload (without encoding) which is normally catched.

Ok, but pwning a victim by this trick is not so obvious:

  1. the victim has to open the babushka.xml file: Image : word_babushka
  2. then open the xmlhell.xml file that is embedded and then accept a first warning: Image : enable_editing
  3. and another one: Image : enable_content

And then:

Image : meterpreter

But users are… users ! They will click and click again.

What about sandbox analysis ?

The excellent Payload Security VxStream sandbox flags our original xmhell file: hybrid_xmhell

But not the babushka variant: hybrid_babushka

What about a quick and dirty static analysis with olevba and oledump ?

Oledump catches VBA in xmhell.xml but we already knew that:

oledump_xmhell Olevba works very well too:

olevba_xmhell But that’s not the same story for babushka.xml:



That’s all for now, happy hunting and happy pwning !