detected by windows defender
Opened this issue · 4 comments
win 10 defender detected the code in the excel macro enabled work book.
Used veil-evasion>reverse_https generated .bat
used macroshop>python macro_safe.py /home/test.bat test.txt
on windows machine I opened excel, went into devloper>visual basic> workbook and pasted output code from macro_safe.py into workbook and it was detected when I try to save it. saved as extension macro-enabled workbook.
is there any other work around for this?
Lol, I guess you know you've made it if there's a signature out there for you.
Anyways, try mutating the variable names a bit. I'll look into when I get the chance, but it is probably flagging on one of the variable names.
It looks like it is based off a few detections, as you can see from someone posting a sample to
virustotal.com .
False positive for the W97M/M097 detection I believe, but it is definitely macro malware, so there's that.
I would say it is definitely triggering on a string, in fact I know which one it is most likely, but I'm going to have table correcting this for now. Maybe a future release will have an obfuscation routine to prevent this from happening. Also, my conscience should be clear as no one should be relying on AV an 100% solution. Users really should be educated not to open documents from sources they don't trust and/or not run macros no matter how enticing they seem from said sources. And I could continue this discussion for hours, but this isn't the forum.
People stay uploading Shit on virustotal wtf. Looking forward to a possible future release, thanks for sharing the info & replying back.
There are people who are paid to upload malware to VT.