Evil Clippy v1.1 releases: hide VBA macros, stomp VBA code and confuse macro analysis tools

Evil Clippy

A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX, and Windows. This tool was released during our BlackHat Asia talk (March 28, 2019).

  • Hide VBA macros from the GUI editor
  • VBA stomping (P-code abuse)
  • Fool analyst tools
  • Serve VBA stomped templates via HTTP

If you have no idea what all of this is, check out the following resources first:

How effective is this?

At the time of writing, this tool is capable of getting a default Cobalt Strike macro to bypass all major antivirus products and most maldoc analysis tools (by using VBA stomping in combination with random module names).

Technology

Evil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files, and hereto abuses MS-OVBA specifications and features. It reuses code from Kavod.VBA.Compression to implement the compression algorithm that is used in dir and module streams (see MS-OVBA for relevant specifications).

Evil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX, and Windows.

Changelog v1.1

  • Added support for xlsm, xls and docm thanks to Carrie Robberts (@clr2of8 / @OrOneEqualsOne).

Download

Loading