Malicious MS Office Macro Creator
Evil Clippy is a tool for creating malicious Microsoft Office macros:
At BlackHat Asia we released Evil Clippy, a tool which assists red teamers and security testers in creating malicious MS Office documents. Amongst others, Evil Clippy can hide VBA macros, stomp VBA code (via p-code) and confuse popular macro analysis tools. It runs on Linux, OSX and Windows.
The VBA stomping is the most powerful feature, because it gets around antivirus programs:
VBA stomping abuses a feature which is not officially documented: the undocumented PerformanceCache part of each module stream contains compiled pseudo-code (p-code) for the VBA engine. If the MS Office version specified in the _VBA_PROJECT stream matches the MS Office version of the host program (Word or Excel) then the VBA source code in the module stream is ignored and the p-code is executed instead.
In summary: if we know the version of MS Office of a target system (e.g. Office 2016, 32 bit), we can replace our malicious VBA source code with fake code, while the malicious code will still get executed via p-code. In the meantime, any tool analyzing the VBA source code (such as antivirus) is completely fooled.
TimH • May 8, 2019 10:47 AM
I always disable macros for Office and Acrobat.
I understand that spreadsheets can use macros usefully… but why oh why does anyone think its sensible to be able to run code, let alone by default, in documents like Word, PP, PDF which are for reading?