I have a .dmg file from a website that I “semi-trust”. I have run the .dmg on a second MacBook and it did not show any malicious behavior. I also googled both the MD5 and SHA256 checksums but could not find anything. Virustotal shows me a perfect score.
Just recently I learned about shellcode and am wondering now if somebody could have injected the .dmg with his own malicious shellcode? And if yes would Virustotal recognize the malicious code? If I can not be sure would you recommend to run the .dmg on a VM with no Internet? That way no information can be leaked outside.
Thank you very much for your help (Y)!