Encrypted Excel documents can be opened without entering a password, provided the password is "VelvetSweatshop". There was a new wave of Excel maldocs encrypted with this password. MD5 3e55d5355bb56f5a5d91dd6961fa232a is one of them. Looking a encrypted Office documents with oledump.py, you'll see the following streams: If it's encrypted with a common password, you can use msoffcrypto-crack.py to recover the password: And then you can save the decrypted Office document. Here I'm piping it again into oledump.py: In a coming diary, I'll analyze the shellcode in this document. Didier Stevens |
DidierStevens 533 Posts ISC Handler Mar 23rd 2019 |
Thread locked Subscribe |
Mar 23rd 2019 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!