Last Updated: 2019-03-23 22:53:09 UTC
by Didier Stevens (Version: 1)
Encrypted Excel documents can be opened without entering a password, provided the password is "VelvetSweatshop".
There was a new wave of Excel maldocs encrypted with this password. MD5 3e55d5355bb56f5a5d91dd6961fa232a is one of them.
Looking a encrypted Office documents with oledump.py, you'll see the following streams:
If it's encrypted with a common password, you can use msoffcrypto-crack.py to recover the password:
And then you can save the decrypted Office document. Here I'm piping it again into oledump.py:
In a coming diary, I'll analyze the shellcode in this document.