“Evil Clippy” helps malicious MS Office documents bypass antiviruses

Cybersecurity researchers inhaled new life in famous helper from Microsoft Office that is famous as Clippy.

Evil Clippy” – this is how new instrument called – can significantly complicate detection of malware macros.

It is able to modify documents on the step of files formatting. Finally comes malware version of the document that can bypass detection with different antivirus engines. To get this result, new instrument uses undocumented functions and specifications.

Evil Clippy created by Danish company Outflank that tests cybersecurity. Instrument was developed when one of company’s clients was tested for the ability to resist cyberattacks.

Evil Clippy can work in Windows, macOS and Linux. Instrument supports formats Microsoft Office 97 – 2003 (.DOC и .XLS files), 2007 and newer (.DOCM и .XLSM files).

Evil Clippy mem
Evil Clippy mem

Technique that is used by the Evil Clippy for generation of malware documents is called VBA-stomping and was described by Walmart cybersecurity team. Its meaning is in substitution of the original VBA-script on “pseudocode”.

«Since malicious macros are one of the most common methods for initial compromise by threat actors, proper defense against such macros is crucial. We believe that the lack of adequate specifications of how macros actually work in MS Office severely hinders the work of antivirus vendors and security analysts. This post serves as a call to Microsoft to change this for the better.», – sais in Outflank

To avoid detection by antivirus products new infecting tool substitutes malware macros code by a fake script. As a result malware document that initially was detected by 30 antiviruses, could bypass majority of them with the use of Evil Clippy.

If you don’t use macros, turn them off. If you need them, at least turn off macros in documents downloaded from the internet.


Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button