Beware of Evil Clippy! Evil Clippy (EC) is a malicious tool that modifies Microsoft Office documents at the file format level. EC generates malicious versions of documents that are able to evade antivirus engines that use static analysis and manual inspection of macro scripts for detection. EC does this by taking advantage of undocumented features, unclear specifications, and deviations from intended implementations. Macros are snippets of VBA (Visual Basic for Applications) code that automate tasks in Microsoft Office applications. They are constantly used to deliver malware when the user opens a corrupted document. In order to evade detection and analysis, EC replaces the macro source code in a document with a fake script that does not trigger an alert. A file that would normally be detected by more than 30 antivirus engines is able to bypass most of them after EC applies its operation.
The full report is available here: TR-19-129-002 Evil Clippy.pdf
Comments