Evil Clippy is described as:  "A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows."  I didn't have much luck with some of the other features but the feature that was of most interest to me, hiding macros, was functional.

We work with small businesses and the goal is to hide -- well enough, meaning that we want to show that if a small business is attacked, assigning attribution is difficult.  We're not hiding from competent investigators, we're just hiding from the average Joe. 

Let's say we create a malicious payload using Invoke Obfuscation, we insert that payload into a Macro, and then we phish the target.  Odds are pretty good that is enough.  But we can use Evil Clippy to add yet another layer.

First we need to compile on a machine with Visual Studio:

csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs


Next, we create our document and embed our Macro:


We let Evil Clippy do the work:


It creates a new version of the file:


The Macro exists and we catch our shell but when we look inside the Macro, everything has vanished. 


Again, as I mentioned, just another step toward hiding our tracks.