KillerInstinct
commented
9 years ago I get these false positives in office 2010 also. There have been a few discussions in IRC about the unhook FPs. Likely will need to add a whitelist for the recon_programs and injection_rwx signatures.
brad-sp
when analyze a normal docx, cuckoo always reports 'injection_rwx', 'antisandbox_unhook', 'recon_programs' signatures, is this accurate? regards PS: office version: office 2007 and enable all macros