Evil Clippy is now helping hackers infect your Office documents

Reading time icon 1 min. read


Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

All the years of derision has caused Clippy to go over to the dark side. Still super-helpful, Clippy is now helping the wrong people.

Security researchers from the Netherlands have just released “a tool which assists red teamers and security testers in creating malicious MS Office documents”.

Evil Clippy can make malicious Microsoft Office docs undetectable.  It can hide VBA macros, stomp VBA code (via p-code) and confuse popular macro analysis tools.

The app relies on Office features, such as “VBA Stomping”, which are undocumented.  If the MS Office version is known, the malicious VBA source code can be replaced with a fake code, whilst the malicious code will still get executed via p-code.

The app can fool any tool that analyses the VBA source code, including antivirus software.

The latest source code of the tool can be found here, and the latest binary releases here.

Source: Outflank

More about the topics: evil clippy, maldoc