At BlackHat Asia we released Evil Clippy, a tool which assists red teamers and security testers in creating malicious MS Office documents. Amongst others, Evil Clippy can hide VBA macros, stomp VBA code (via p-code) and confuse popular macro analysis tools. It runs on Linux, OSX and Windows.
In this blog post we will explore the features of Evil Clippy and the technology behind it. The latest source code of the tool can be found here:
https://github.com/outflanknl/EvilClippy
Latest binary releases are available at:
https://github.com/outflanknl/EvilClippy/releases
Use cases
At the time of writing, this tool is capable of getting malicious macros to bypass all major antivirus products and most maldoc analysis tools. It achieves this by manipulating MS Office files on a file format level.
