![clipy word clipy word](https://icdn2.digitaltrends.com/image/digitaltrends/clippy-1200x630-c-ar1.91.jpg)
Set/Remove VBA Project Locked/Unviewable Protection You can set a template via a URL (.dot extension is not required!) from the developer toolbar in Word.Īlso, fakecode.vba must have a VB_Base attribute set for a macro from a template (this means that your facecode.vba must start with a line such as Attribute VB_Base = “0”). Note: The file you are serving must be a template (.dot instead of. If this file is retrieved, it automatically matches the target’s Office version (using its HTTP headers and then setting the _VBA_PROJECT bytes accordingly).ĮvilClippy.exe -s fakecode.vba -w 8080 macrofile.dot Service macrofile.dot via HTTP port 8080 after performing VBA stomping. Note: this is known to be effective in tricking pcodedmp and VirusTotal This abuses ambiguity in the MODULESTREAMNAME records – most analyst tools use the ASCII module names specified here, while MS Office used the Unicode variant.īy setting a random ASCII module name most P-code and VBA analysis tools crash, while the actual P-code and VBA still runs fine in Word and Excel. Set random ASCII module names in the dir stream. Set random module names (fool analyst tools) ĮvilClippy.exe -s fakecode.vba -t 2016×86 macrofile.doc Achieved by setting the appropriate version bytes in the _VBA_PROJECT stream.
#Clipy word code
This means that Word 2016 on x86 will execute the P-code, while other versions of Word wil execute the code from fakecode.vba instead. Same as the above, but now explicitly targeting Word 2016 on x86. Set target Office version for VBA stomping Note: VBA Stomping does not work for files saved in the Excel 97-2003 Workbook (.xls) format Note that the VBA project version must match the host program in order for the P-code to be executed (see next example for version matching).ĮvilClippy.exe -s fakecode.vba macrofile.doc This abuses an undocumented feature of module streams. Put fake VBA code from text file fakecode.vba in all modules, while leaving P-code intact. This is achieved by removing module lines from the project stream. Hide all macro modules (except the default “ThisDocument” module) from the VBA GUI editor. Then execute the following command from a Visual Studio developer command prompt:Ĭsc /reference:OpenMcdf.dll,System.IO. /out:EvilClippy.exe *.cs
#Clipy word windows
Windows Make sure you have Visual Studio installed. Now run Evil Clippy from the command line: Mcs /reference:OpenMcdf.dll,System.IO. /out:EvilClippy.exe *.cs Then execute the following command from the command line: OSX and Linux Make sure you have Mono installed. It reuses code from to implement the compression algorithm that is used in dir and module streams (see MS-OVBA for relevant specifications).Įvil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows.Īlso Read – DrAFL : Fuzzing Binaries With No Source Code On LinuxĪ cross-platform compiled binary can be found under “releases”. Set/Remove VBA Project Locked/Unviewable ProtectionĪt the time of writing, this tool is capable of getting a default Cobalt Strike macro to bypass all major antivirus products and most maldoc analysis tools (by using VBA stomping in combination with random module names).Įvil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files, and hereto abuses MS-OVBA specifications and features.Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. A video recording will be online in 90 days.Ī cross-platform assistant for creating malicious MS Office documents. Runs on Linux, OSX and Windows.EvilClippy tool was released during our BlackHat Asia talk (March 28, 2019). EvilClippy is a cross-platform assistant for creating malicious MS Office documents.