Encrypted Excel documents can be opened without entering a password, provided the password is “VelvetSweatshop”.
There was a new wave of Excel maldocs encrypted with this password. MD5 3e55d5355bb56f5a5d91dd6961fa232a is one of them.
Looking a encrypted Office documents with oledump.py, you’ll see the following streams:
If it’s encrypted with a common password, you can use msoffcrypto-crack.py to recover the password:
And then you can save the decrypted Office document. Here I’m piping it again into oledump.py:
In a coming diary, I’ll analyze the shellcode in this document.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.