|
Encrypted Excel documents can be opened without entering a password, provided the password is "VelvetSweatshop". There was a new wave of Excel maldocs encrypted with this password. MD5 3e55d5355bb56f5a5d91dd6961fa232a is one of them. Looking a encrypted Office documents with oledump.py, you'll see the following streams:
If it's encrypted with a common password, you can use msoffcrypto-crack.py to recover the password:
And then you can save the decrypted Office document. Here I'm piping it again into oledump.py:
In a coming diary, I'll analyze the shellcode in this document. Didier Stevens |
DidierStevens 546 Posts ISC Handler Mar 23rd 2019 |
| Thread locked Subscribe |
Mar 23rd 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!
