Published: 2020-05-03
Last Updated: 2020-05-03 11:10:41 UTC
by Didier Stevens (Version: 1)
3 comment(s)

A comment on my diary entry "MALWARE Bazaar" mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples).

When you download a sample from MALWARE Bazaar, it is stored in a password protected ZIP file. As mentioned on the download page, the password is infected.

But you can still have issues when extracting the sample, because AES is used as encryption method. Not all ZIP utilities support AES as encryption method, and so you'll have to use a utility that not only supports ZipCrypto, but also AES.

Python's module zipfile does not support AES, only ZipCrypto. So many of my analysis tools (oledump, pdf tools, ...) that can analyse samples inside a password protected ZIP file, will not work directly with MALWARE Bazaar samples.

But I found a solution, and implemented it first in my utility: there is an open-source drop-in replacement for the zipfile module, that supports AES encrytpion. This module is pyzipper.

When pyzipper is installed, my tool will use it in stead of zipfile, and thus provide AES encryption support. If it is not installed, it will use built-in module zipfile.

I will gradually update my other tools using zipfile, to include support for pyzipper.



Didier Stevens
Senior handler
Microsoft MVP

Keywords: aes zip
3 comment(s)



you are not a helpdesk, so just for information:

Some of the *.xlsx files are not zip-archives, but have the "magic"-bytes "D0 CF 11 E0 A1 B1 1A E1", i.e. they are old OLE-files, normaly *.xls. Your reveals the password, but I couldn't look inside with nor or a combination.

You are probably dealing with an encrypted OOXML file.
Does it look like the documents I described in this blog post?
One example is: f7183d3a992ead2bf194ac46b1f6f70ad9e30bfd5b6065ffbd96a3529c311725.xlsx

There are 3-4 other comparable files.
The password is according to MSoffice-crack: "Valvet..."

Diary Archives