Office macros have long been a vehicle for malicious code. Now, a team of security researchers has exploited Microsoft’s patchy macro documentation to hide malicious code inside innocent-looking macros. Researchers at Netherlands-based cybersecurity consultancy Outflank created a tool they say stops most major antivirus tools from detecting malicious macro code.

In Microsoft Office, macros are small helper programs written in Visual Basic for Applications (VBA). They automate repetitive tasks like dropping a company letterhead into a document or formatting tables. Just as with other programs, attackers can make macros that do malicious things like drop malware onto your computer.

Named after Microsoft’s ill-fated Office assistant from the late nineties, Outflank’s ‘Evil Clippy’ uses some undocumented features in the way Microsoft stores its macros.

Office stores macros in a file format called Compound File Binary Format (CFBF). Evil Clippy compromises macros stored in this format using a technique called VBA stomping.

VBA stomping uses an undocumented feature within CFBF. The format stores the VBA source code for the Office macro, but it also stores a version of that code compiled into pseudo-code (also known as p-code) that is easier for the VBA engine to run.