Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: "VelvetSweatshop" Maldocs - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"VelvetSweatshop" Maldocs

Encrypted Excel documents can be opened without entering a password, provided the password is "VelvetSweatshop".

There was a new wave of Excel maldocs encrypted with this password. MD5 3e55d5355bb56f5a5d91dd6961fa232a is one of them.

Looking a encrypted Office documents with oledump.py, you'll see the following streams:

If it's encrypted with a common password, you can use msoffcrypto-crack.py to recover the password:

And then you can save the decrypted Office document. Here I'm piping it again into oledump.py:

In a coming diary, I'll analyze the shellcode in this document.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

354 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!