Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: "VelvetSweatshop" Maldocs - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"VelvetSweatshop" Maldocs

Encrypted Excel documents can be opened without entering a password, provided the password is "VelvetSweatshop".

There was a new wave of Excel maldocs encrypted with this password. MD5 3e55d5355bb56f5a5d91dd6961fa232a is one of them.

Looking a encrypted Office documents with, you'll see the following streams:

If it's encrypted with a common password, you can use to recover the password:

And then you can save the decrypted Office document. Here I'm piping it again into

In a coming diary, I'll analyze the shellcode in this document.

Didier Stevens
Senior handler
Microsoft MVP


647 Posts
ISC Handler
Mar 23rd 2019

Sign Up for Free or Log In to start participating in the conversation!