Encrypted Maldoc, Wrong Password
Last Updated: 2019-09-30 18:36:08 UTC
by Didier Stevens (Version: 1)
Reader Chad submitted a malicious Office document, delivered as an email attachment. The maldoc was encrypted, and the password was mentioned in the email: PETROFAC.
But that wasn't the correct password. Luckily, Chad found and shared the correct password with us: petrofac.
The good news is that the recipient won't be able to open the document, and might even call the helpdesk. The user's machine won't get infected, and the SOC might get alerted indirectly by the user.
However, as an analyst, you want to be able to analyze the document to recover IOCs and check the logs for sign of compromise (other maldocs, with a valid password and using the same IOCs might have passed the company's defenses).
You can quickly crack the password with John the Ripper or Hashcat, but there are corporations were such tools are even prohibited for the blue teams.
Some time ago, I created a Python tool to help with encrypted Office maldocs: msoffcrypto-crack.py. This maldoc inspired me to make a small change to my tool: add an optional rule to perform case toggling when working through a password list.
For this sample, using option -r an providing a password list including PETROFAC, my tool will test PETROFAC and petrofac. There's also an option to provide the email body to extract potential passwords.