Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Password Protected Malicious Excel Files SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Password Protected Malicious Excel Files

We've been seeing quite some malicious Excel files with Excel 4 macros lately.

A variant we are observing now, is password protected Excel 4 maldocs, using the binary file format .xls (and not OOXML, .xlsm).

Password protected .xls files are not completely encrypted. Simply put: it's the data of the BIFF records that is encrypted, but not the record headers themselves.

A password protected .xls file has a FILEPASS record at the beginning of the workbook stream:

I updated my BIFF plugin (plugin_biff.py) to issue a warning when using option -x to filter for Excel 4 macros: since the data of the BOUNDSHEET records is encrypted, we can no longer detect that a sheet is an Excel 4 macro sheet or another type.

So when you see that an Excel sheet is password protected, you need to decrypt it to perform further analysis:

As the password is VelvetSweatshop, the user does not have to enter a password to decrypt the workbook upon opening.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

451 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!