Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Encrypted Office Documents InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Encrypted Office Documents

Published: 2018-06-17
Last Updated: 2018-06-17 15:43:06 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Last I had to analyze a malicious, encrypted Excel document, with a twist.

It was using the encrypted file format for OOXML files (.docx, .xlsx, ...), I knew this because of oledump's report:

When an OOXML file is encrypted, it is stored inside an OLE file. Stream EncryptedPackage contains the encrypted document.

Malware authors will encrypt malicious documents to avoid detection, but it requires the victim to type the password when opening the document. And that was different with this spreadsheet when I analyzed it inside a sandbox: no password was required to open it.

It turns out that this document was encrypted with password 'VelvetSweatshop'.

Allegedly, VelvetSweatshop was an hardcoded password in old versions of Excel used for protecting spreadsheets. For compatibility reasons, the latest versions of Excel still support this password. Spreadsheets encrypted with this password, will be opened by Excel without prompting the user for a decryption password.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: encryption maldoc
0 comment(s)
Diary Archives