A day in the life of a nasty Word Malware

This is a write-up from an incident in 2015, but many lessons still apply today.

Only 10 out of 55 anti-virus engines detected the malware, and those that missed it include some major players: Microsoft, TrendMicro, Symantec, Kaspersky, FProt, Bit Defender, Comodo, Fortinet and Sophos. The only two major vendors to catch a problem was McAfee and F Secure.

My biggest takeaway was that something as trivial as modifying a single trailing padding bit (literally one bit at the very end of a file) with a hex editor was enough to change the signature so that the file would evade most AVs (including Microsoft and Symantec) for a "clean" bill of health. And multi-hop droppers are pretty much table stakes these days.