Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

"VelvetSweatshop" Maldocs

Published: 2019-03-23
Last Updated: 2019-03-23 22:53:09 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Encrypted Excel documents can be opened without entering a password, provided the password is "VelvetSweatshop".

There was a new wave of Excel maldocs encrypted with this password. MD5 3e55d5355bb56f5a5d91dd6961fa232a is one of them.

Looking a encrypted Office documents with, you'll see the following streams:

If it's encrypted with a common password, you can use to recover the password:

And then you can save the decrypted Office document. Here I'm piping it again into

In a coming diary, I'll analyze the shellcode in this document.

Didier Stevens
Senior handler
Microsoft MVP

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Introduction to analysing Go binaries
Mar 22nd 2019
1 day ago by Remco (0 comments)

New Wave of Extortion Emails: Central Intelligence Agency Case
Mar 21st 2019
3 days ago by Xme (4 comments)

Using AD to find hosts that aren't in AD - fun with the [IPAddress] construct!
Mar 20th 2019
4 days ago by Rob VandenBrink (0 comments)

Wireshark 3.0.0 and Npcap: Some Remarks
Mar 18th 2019
5 days ago by DidierStevens (1 comment)

Video: Maldoc Analysis: Excel 4.0 Macro
Mar 17th 2019
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Run Extracted binaries from mirror traffic on cuckoo
created Feb 6th 2019
1 month ago by ching (1 reply)

Another sextortion email
created Feb 5th 2019
1 month ago by Anonymous (0 replies)

Two-factor authentication: Why do I need it? What are the best apps?
created Jan 27th 2019
1 month ago by Russell (0 replies)

sextortion Mail
created Jan 10th 2019
2 months ago by Anonymous (0 replies)

Internet security needed!
created Jan 3rd 2019
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)