Clipy ms word12/19/2023 ![]() This stream is compressed and its format is rather well documented. Dir: a stream which contains the VBA project layout.There is no official documentation on the contents of this stream, but it is crucial in how macros are interpreted (which we will see later in this post). _VBA_PROJECT: a stream with binary data which instructs the VBA engine.It can be regarded as a configuration file with CRLF separated lines which instruct the VBA editor GUI (amongst others). PROJECT: a stream with text data specifying project information.The most important streams in the macros container are: The structure and contents of this container are explained by Microsoft in a lengthy and complex specification called MS-OVBA. In MS Excel files this container is called “_VBA_PROJECT_CUR”. The “macros” container contains all subcontainers and streams related to VBA macros in a MS Word document. A CFBF file is like a file system in a single file: there are streams (think of them as “files”) which can be stored in containers (think of them as “directories”). The pane on the bottom left shows the structure of this particular CFBF file. If you want to manipulate CFBF files manually, then FlexHEX is one of the best editors for this. This file is a CFBF file which contains the macro information for the document.Įvil Clippy uses the OpenMCDF library to manipulate CFBF files. If you unzip the file, you will find a file named “vbaProject.bin” in the “word” (.docm) or “xl” (.xlsm) directories. xlsm), these files are actually ZIP containers. xls), these files are entirely in the CFBF file format. Evil Clippy supports the following two MS Office file types: This file format is used abundantly in MS Office. In order to understand how Evil Clippy works, we need to dive into the Compound File Binary Format (CFBF). ![]() Compilation and usage instructions can be found in the readme. The code compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows. If you need to evade dynamic analysis of macros, then read our blog on bypassing AMSI for VBA.Įvil Clippy is written in C#. A combination which can be particularly effective for initial compromise during red teaming operations is to deliver malicious documents generated with Evil Clippy via HTML smuggling (which helps you bypass perimeter defenses). Note that Evil Clippy only focuses on evasion of static analysis. ![]() This is a basic process injection macro which is obviously malicious and is detected by practically all major antivirus vendors.Īfter applying Evil Clippy to this document (EvilClippy.exe -s fake.vbs -g -r cobaltstrike.doc), all major antivirus engines fail to detect this macro. The following screenshot shows detection rates of a default Cobalt Strike VBA macro before Evil Clippy is applied. It achieves this by manipulating MS Office files on a file format level. At the time of writing, this tool is capable of getting malicious macros to bypass all major antivirus products and most maldoc analysis tools. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |