doomedraven

1. case you can just write package to download and execute with start as in generic package

macro can decode some objects before drop them to system

would need to check automatic package detection system how it detects it, and about the mouseover, i think there should be some switch option to pass to office, i don't...

well it may not pass mimetype, there few more, try to check the same data what cuckoo checks and you will have the answer where it bypassed :)

second one is bcz you have not enabled(marco/activex) it, it can be tricked by registry modification inside of vm/cuckoo, I can't test it till 19.06 as i told so can't...

no i working, but have a lot of stuff to fist before will have some spare time. that is really weird, check trusted * also

in your image first 4 sections are trusted * check there eveything should be allowed hm interesting article

here is the issue https://github.com/spender-sandbox/cuckoo-modified/blob/55bafa2a325379418da9c2cdc66530458d827d17/analyzer/windows/lib/core/packages.py#L31

>>> Seems like the least harmful way is taking 'Microsoft ooxml ' out of the doc if and moving it into elseif after PowerPoint, but still bound to doc? no,...

Check sflock ident function :)