Evil Clippy: a tool for making undetectable malicious Microsoft Office docs

Originally published at: https://boingboing.net/2019/05/05/p-code-r-us.html


Wait, Evil Clippy is Clippy with a goatee, right?
Wouldn’t that make him the good one?


He would be the best clippy in the evil universe if he had a goatee of course. But it’s still the evil universe.

1 Like



It’s the only one we’ve got… apparently.


Mirror universe Clippy?


There is no file type that Microsoft hasn’t made executable at some point. Office files, XML, midi… There’s probably some backdoor to Notepad to execute txt files.


Technically an IE exploit, but it is triggered by trying to open a txt file!


On what planet?

Huuughhh, the joke is that Clippy is already evil, so Evil Clippy must be…
…Jebuz… though crowd.


Just looking at the fake Clippy sets off the agonizer…


I got nothing.


undetectable malicious Microsoft Office docs

  • Load VM system image
  • Open target document
  • See if anything changes

If it’s malicious, it has to do something, right? Can’t it be detected by just watching what it does?

Without a goatee there’s literally no way to know.

1 Like

A native executable is something with a PE header. What you’re thinking of is probably a protocol handler (which can be a big bag of evil if done improperly). Most of the time file extensions just point to an executable to handle them.

What if it’s programmed to do nothing until it has been running for a few days? Or until it’s running after a predetermined day in the future?

1 Like

Perhaps it is more “End of Level Boss Clippy”. Or maybe “Chaotic Evil Clippy”, a foil for the original “Lawful Evil Clippy”: a Joker-like paperclip that was once straghtened out to free a floppy on a Mac, and has never been the same since. I’m sure Alan Moore could flesh out the backstory if we asked nicely…


Sure, absolutely.

But my existential point stands: software maliciousness is a consequence of the actions that software takes, and these actions are (eventually, per your point) something that can be observed.

Not easily detectable, nor detectable in a reasonable timeframe — these are valid alternate labels. But straight-up undetectable malware is a misnomer. If it doesn’t ultimately do anything bad, it wasn’t malicious in the first place.

ETA: I’m almost certainly suffering from a bout of argumentative pedantry. Just ignore me.


I started using OpenOffice back in the day. Why pay a lot for something when a near equivalent is free and available? Like practically everyone else (including the employees) I fled to LibreOffice when Oracle acquired OpenOffice, which these days seems a bit moribund even if it is being run by Apache now . So my question is, is this attack vector something that can be used in either LibreOffice or OpenOffice? I do understand that many people have to use MSOffice due to that being what the company uses and/or because it might be better at being useful for collaborations.

That’s too specific. I’d consider a BAT file to be executable.

It doesn’t really matter if it’s native, bytecode, interpreted, script…

1 Like