Skip to content
Naked Security Naked Security

Researchers’ Evil Clippy cloaks malicious Office macros

A team of security researchers has exploited Microsoft’s patchy macro documentation to hide malicious code inside innocent-looking macros.

Office macros have long been a vehicle for malicious code. Now, a team of security researchers has exploited Microsoft’s patchy macro documentation to hide malicious code inside innocent-looking macros. Researchers at Netherlands-based cybersecurity consultancy Outflank created a tool they say stops most major antivirus tools from detecting malicious macro code.

In Microsoft Office, macros are small helper programs written in Visual Basic for Applications (VBA). They automate repetitive tasks like dropping a company letterhead into a document or formatting tables. Just as with other programs, attackers can make macros that do malicious things like drop malware onto your computer.

Named after Microsoft’s ill-fated Office assistant from the late nineties, Outflank’s ‘Evil Clippy’ uses some undocumented features in the way Microsoft stores its macros.

Office stores macros in a file format called Compound File Binary Format (CFBF). Evil Clippy compromises macros stored in this format using a technique called VBA stomping.

VBA stomping uses an undocumented feature within CFBF. The format stores the VBA source code for the Office macro, but it also stores a version of that code compiled into pseudo-code (also known as p-code) that is easier for the VBA engine to run.

If the version of MS Office specified in an Office file isn’t the same as the version of Office that opens the file, then the VBA engine compiles the VBA source code from scratch before running it. However, if the versions are the same, then it just runs the p-code instead to be more efficient.

Evil Clippy can replace legitimate p-code with an attacker‘s malicious code while leaving the visible source code intact in the file. Then, as long as the attacker can specify the same version of Office in the CFBF file as the version of Office that will open the file, the malicious code will run.

Testing the concept with a well-known macro virus, Outflank found that “all major antivirus engines” missed the malicious p-code and allowed the file through.

“It looks like you’re hiding malicious code…”

In its blog post describing Evil Clippy, Outflank explains several techniques for finding out which version of Office an intended target is running. One involves hiding a tracking pixel in an email. When Microsoft Outlook reads the mail, it will generate an HTTP request that the sender can read to find out the Office version number. Sneaky.

Describing the tool and the conditions that allowed them to create it, Outflank‘s team had a few choice words for Microsoft:

Since malicious macros are one of the most common methods for initial compromise by threat actors, proper defense against such macros is crucial. We believe that the lack of adequate specifications of how macros actually work in MS Office severely hinders the work of antivirus vendors and security analysts. This blog post serves as a call to Microsoft to change this for the better.

An ability to target an undocumented flaw like this shows the potential to find flaws in a product with a large attack surface, especially when its underlying mechanics are obscure. It’s worrying news, given last month’s report that 70% of attacks in Q4 2018 targeted Office.

The answer? If you don’t use macros, turn them off. If you need them, at least turn off macros in documents downloaded from the internet (enterprise admins can do that by following these instructions).

6 Comments

You should probably also turn off downloading external images within Outlook, which would block the tracking pixel. :)

Does / Will Sophos Endpoint et. al. detect Evil Clippy?

As with most threats, the answer is “it depends” – however crooks try to obfuscate or obscure their malware, it has to show its hand eventually, where it can be blocked by its behaviour.

They detect evil clippy, but evil clippy isn’t the probem, it’s the tool people use to make the problem macros.
The question should be does Sophos detect the stomped p-code that the hacker used evil clippy to generate.

See comment above. (My answer was not whether we detect the tool itself – I took “evil clippy” to mean “obfuscated files using this sort of technique”.)

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?