loader gif

Evil Clippy Makes Malicious Office Docs that Dodge Detection

Evil Clippy Makes Malicious Office Docs that Dodge Detection (Malware and Vulnerabilities)

Dubbed Evil Clippy, the tool modifies Office documents at file format level to spew out malicious versions that get by the static analysis of antivirus engines and even utilities for manual inspection of macro scripts. One technique Evil Clippy uses to generate a maldoc is "VBA stomping," a method detailed by Walmart's security team, by which the original code of the VBA script can be replaced by a compiled version for the VBA engine called pseudo-code, or p-code in short. But as long as the same version of the VBA engine used to create the script exists in the Office application that opens it, the p-code is executed and the source code can even be missing. "In fact, even when you open the source of a macro module in the VBA editor, what is displayed is not the decompressed source code but the p-code decompiled into source," Bontchev explains. Evading detection, hindering analysis What Evil Clippy does to outsmart them is to replace the macro source code in a document with a fake script that does not trigger an alert.

loader gif