Evil Clippy v1.1 releases: hide VBA macros, stomp VBA code and confuse macro analysis tools
A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX, and Windows. This tool was released during our BlackHat Asia talk (March 28, 2019).
- Hide VBA macros from the GUI editor
- VBA stomping (P-code abuse)
- Fool analyst tools
- Serve VBA stomped templates via HTTP
If you have no idea what all of this is, check out the following resources first:
- Our MS Office Magic Show presentation at Derbycon 2018
- VBA stomping resources by the Walmart security team
- Pcodedmp by Dr. Bontchev
How effective is this?
At the time of writing, this tool is capable of getting a default Cobalt Strike macro to bypass all major antivirus products and most maldoc analysis tools (by using VBA stomping in combination with random module names).
Evil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files, and hereto abuses MS-OVBA specifications and features. It reuses code from Kavod.VBA.Compression to implement the compression algorithm that is used in dir and module streams (see MS-OVBA for relevant specifications).
Evil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX, and Windows.
- Added support for xlsm, xls and docm thanks to Carrie Robberts (@clr2of8 / @OrOneEqualsOne).