Shulou(Shulou.com)05/31 Report--

This article is about how to use cross-platform EvilClippy to create malicious MS Office documents, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article, without saying much, follow the editor to have a look.

What I introduce to you today is an open source tool called EvilClippy, EvilClippy is a cross-platform security tool dedicated to creating malicious MS Office test documents, it can hide VBA macros and VBA code, and macro code can be confused to increase the difficulty of macro analysis tools. The current version of EvilClippy supports running on Linux, macOS, and Windows platforms and implements cross-platform features.

Function introduction

1. Hide the VBA macro in the GUI editor

2. Confuse security analysis tools

3 、 VBA Stomping

4. Introduce VBA P-Code pseudo coding.

5. Set the remote VBA project lock protection mechanism

6. Provide VBA Stomped templates through HTTP

Tool effect

Currently, the default Cobalt Strike macros generated by the tool can bypass all major antivirus products and macro analysis tools.

Technical analysis

EvilClippy uses the OpenMCDF library to modify MS Office's CFBF files and takes advantage of MS-OVBA specifications and features. The tool reuses part of the Kavod.VBA.Compression code to implement the compression algorithm, and uses the Mono C # compiler to run perfectly on Linux, macOS and Windows platforms.

Tool installation

Note: cross-platform compiled code can be obtained under the releases page of the project.

MacOS and Linux

Ensure that Mono is installed, and then run the following command:

Mcs/reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll/out:EvilClippy.exe * .cs

Then run EvilClippy:

Mono EvilClippy.exe-hWindows

Make sure Visual Studio is installed, and then enter the following command in the Visual Studio developer command line window:

Csc/reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll/out:EvilClippy.exe * .cs

Then run EvilClippy on the command line:

Use of the EvilClippy.exe-h tool

Display help information

EvilClippy.exe-h

Hide macros in GUI

EvilClippy.exe-g macrofile.doc

VBA Stomp (P-Code pseudo-coding)

EvilClippy.exe-s fakecode.vba macrofile.doc

Set the target Office version information for VBA Stomping

EvilClippy.exe-s fakecode.vba-t 2016x86 macrofile.doc

Set random module name (obfuscation security analysis tool)

EvilClippy.exe-r macrofile.doc

Provide VBA Stomp templates through HTTP

EvilClippy.exe-s fakecode.vba-w 8080 macrofile.dot

Set remote VBA project lock protection

EvilClippy.exe-u macrofile.doc

Unprotected:

EvilClippy.exe-uu macrofile.doc above is how to use cross-platform EvilClippy to create malicious MS Office documents. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.