EvilClippy and Metasploit implementation

[anonuser78]

Is there any ways to bypass the virus/malware detection of the metasploit payload documents (macros attached) with EvilClippy? Google Gmail still marks it as a virus even when I run it through EvilClippy.

[stanhegt]

If AV detects a macro after EvilClippy is applied, then the problem is usually one of the following:

1. SRP streams - these are artefacts that get created in a document after running a macro. Solution: either remove the SRP streams with a CFBF editor or make sure that you do not save the document after running a macro.
2. Static strings or byte sequences that remain in Pcode after VBA source code is removed. Solution: obfuscation of your macro.