"VelvetSweatshop" Maldocs

Encrypted Excel documents can be opened without entering a password, provided the password is "VelvetSweatshop".

There was a new wave of Excel maldocs encrypted with this password. MD5 3e55d5355bb56f5a5d91dd6961fa232a is one of them.

Looking a encrypted Office documents with oledump.py, you'll see the following streams:

If it's encrypted with a common password, you can use msoffcrypto-crack.py to recover the password:

And then you can save the decrypted Office document. Here I'm piping it again into oledump.py:

In a coming diary, I'll analyze the shellcode in this document.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com


678 Posts
ISC Handler
Mar 23rd 2019

Sign Up for Free or Log In to start participating in the conversation!