{"id":13537610,"url":"https://github.com/outflanknl/evilclippy","last_synced_at":"2025-05-15T09:08:28.897Z","repository":{"id":38956091,"uuid":"177781838","full_name":"outflanknl/EvilClippy","owner":"outflanknl","description":"A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.","archived":false,"fork":false,"pushed_at":"2023-12-27T12:37:47.000Z","size":149,"stargazers_count":2163,"open_issues_count":21,"forks_count":402,"subscribers_count":88,"default_branch":"master","last_synced_at":"2025-04-15T00:51:40.651Z","etag":null,"topics":["excel","macro","malware","ms-office","pcode","stomping","vba","word"],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/outflanknl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2019-03-26T12:14:03.000Z","updated_at":"2025-04-09T12:37:41.000Z","dependencies_parsed_at":"2024-02-24T09:45:40.536Z","dependency_job_id":null,"html_url":"https://github.com/outflanknl/EvilClippy","commit_stats":{"total_commits":51,"total_committers":6,"mean_commits":8.5,"dds":0.4117647058823529,"last_synced_commit":"fa610c6469734c16da5dab89a6f9c6776e1b16c6"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FEvilClippy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FEvilClippy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FEvilClippy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FEvilClippy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/outflanknl","download_url":"https://codeload.github.com/outflanknl/EvilClippy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254310520,"owners_count":22049470,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["excel","macro","malware","ms-office","pcode","stomping","vba","word"],"created_at":"2024-08-01T09:01:01.072Z","updated_at":"2025-05-15T09:08:23.880Z","avatar_url":"https://github.com/outflanknl.png","language":"C#","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"3ed50213c2818f1455eff4e30372c542\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"caab36bba7fa8bb931a9133e37d397f6\"\u003e\u003c/a\u003eWindows"],"readme":"This tool was released during our BlackHat Asia talk (March 28, 2019). A video recording of this talk is available at https://www.youtube.com/watch?v=9ULzZA70Dzg.\n\n# Evil Clippy\nA cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.\n\nIf you're new to this tool, you might want to start by reading our blog post on Evil Clippy:\nhttps://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/\n\nThis project should be used for authorized testing or educational purposes only.\n\n## Current features\n* Hide VBA macros from the GUI editor\n* VBA stomping (P-code abuse)\n* Fool analyst tools\n* Serve VBA stomped templates via HTTP\n* Set/Remove VBA Project Locked/Unviewable Protection\n\nIf you have no idea what all of this is, check out the following resources first:\n* [Our MS Office Magic Show presentation at Derbycon 2018](https://outflank.nl/blog/2018/10/28/recordings-of-our-derbycon-and-brucon-presentations/)\n* [VBA stomping resources by the Walmart security team](https://vbastomp.com/)\n* [Pcodedmp by Dr. Bontchev](https://github.com/bontchev/pcodedmp)\n\n## How effective is this?\nAt the time of writing, this tool is capable of getting a default Cobalt Strike macro to bypass most major antivirus products and various maldoc analysis tools (by using VBA stomping in combination with random module names).\n\n## Technology\nEvil Clippy uses the [OpenMCDF library](https://github.com/ironfede/openmcdf/) to manipulate MS Office Compound File Binary Format (CFBF) files, and hereto abuses [MS-OVBA specifications](https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/) and features. It reuses code from [Kavod.VBA.Compression](https://github.com/rossknudsen/Kavod.Vba.Compression) to implement the compression algorithm that is used in dir and module streams (see MS-OVBA for relevant specifications).\n\nEvil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows.\n\n## Compilation\n\nWe do not provide a binary release for EvilClippy. Please compile executables yourself:\n\n**OSX and Linux**\n\nMake sure you have Mono installed. Then execute the following command from the command line:\n\n`mcs /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs`\n\nNow run Evil Clippy from the command line:\n\n`mono EvilClippy.exe -h`\n\n**Windows**\n\nMake sure you have Visual Studio installed. Then execute the following command from a Visual Studio developer command prompt:\n\n`csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs`\n\nNow run Evil Clippy from the command line:\n\n`EvilClippy.exe -h`\n\n## Usage examples\n\n**Print help**\n\n`EvilClippy.exe -h`\n\n**Hide/Unhide macros from GUI**\n\nHide all macro modules (except the default \"ThisDocument\" module) from the VBA GUI editor. This is achieved by removing module lines from the project stream [MS-OVBA 2.3.1].\n\n`EvilClippy.exe -g macrofile.doc`\n\nUndo the changes done by the hide option (-g) so that we can debug the macro in the VBA IDE.\n\n`EvilClippy.exe -gg macrofile.doc`\n\n**Stomp VBA (abuse P-code)**\n\nPut fake VBA code from text file *fakecode.vba* in all modules, while leaving P-code intact. This abuses an undocumented feature of module streams [MS-OVBA 2.3.4.3]. Note that the VBA project version must match the host program in order for the P-code to be executed (see next example for version matching).\n\n`EvilClippy.exe -s fakecode.vba macrofile.doc`\n\nNote: VBA Stomping does not work for files saved in the Excel 97-2003 Workbook (.xls) format\n\n**Set target Office version for VBA stomping**\n\nSame as the above, but now explicitly targeting Word 2016 on x86. This means that Word 2016 on x86 will execute the P-code, while other versions of Word wil execute the code from *fakecode.vba* instead. Achieved by setting the appropriate version bytes in the _VBA_PROJECT stream [MS-OVBA 2.3.4.1].\n\n`EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc`\n\n**Set/reset random module names (fool analyst tools)**\n\nSet random ASCII module names in the dir stream [MS-OVBA 2.3.4.2]. This abuses ambiguity in the MODULESTREAMNAME records [MS-OVBA 2.3.4.2.3.2.3] - most analyst tools use the ASCII module names specified here, while MS Office used the Unicode variant. By setting a random ASCII module name most P-code and VBA analysis tools crash, while the actual P-code and VBA still runs fine in Word and Excel.\n\n`EvilClippy.exe -r macrofile.doc`\n\nNote: this is known to be effective in tricking pcodedmp and VirusTotal\n\nSet ASCII module names in the dir stream to match their Unicode counterparts. This reverses the changes made using the (-r) optoin of EvilClippy\n\n`EvilClippy.exe -rr macrofile.doc`\n\n**Serve a VBA stomped template via HTTP**\n\nService *macrofile.dot* via HTTP port 8080 after performing VBA stomping. If this file is retrieved, it automatically matches the target's Office version (using its HTTP headers and then setting the _VBA_PROJECT bytes accordingly).\n\n`EvilClippy.exe -s fakecode.vba -w 8080 macrofile.dot`\n\nNote: The file you are serving must be a template (.dot instead of .doc). You can set a template via a URL (.dot extension is not required!) from the developer toolbar in Word. Also, fakecode.vba must have a VB_Base attribute set for a macro from a template (this means that your fakecode.vba must start with a line such as *Attribute VB_Base = \"0{00020906-0000-0000-C000-000000000046}\"*).\n\n**Set/Remove VBA Project Locked/Unviewable Protection**\n\nTo set the Locked/Unviewable attributes use the '-u' option:\n\n`EvilClippy.exe -u macrofile.doc`\n\nTo remove the Locked/Unviewable attributes use the '-uu' option:\n\n`EvilClippy.exe -uu macrofile.doc`\n\nNote: You can remove the Locked/Unviewable attributes on files that were not locked with EvilClippy as well.\n\n## Limitations\n\nDeveloped for Microsoft Word and Excel document manipulation.\n\nAs noted above, VBA stomping is not effective against Excel 97-2003 Workbook (.xls) format.\n\n## Authors\nStan Hegt ([@StanHacked](https://twitter.com/StanHacked)) / [Outflank](https://www.outflank.nl)\n\nWith significant contributions by Carrie Roberts ([@OrOneEqualsOne](https://twitter.com/OrOneEqualsOne) / Walmart).\n\nSpecial thanks to Nick Landers ([@monoxgas](https://twitter.com/monoxgas) / Silent Break Security) for pointing me towards OpenMCDF.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutflanknl%2Fevilclippy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foutflanknl%2Fevilclippy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutflanknl%2Fevilclippy/lists"}