In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords. I created a new version of my plugin plugin_biff that attempts to recover protection passwords with a dictionary attack. Here I use it with Brad's malicious spreadsheet sample: It's not possible to determine if the recovered passwords (piano1 and 1qaz2wsx) are the actual passwords used by the malicious actors, or if they are the result of hash collisions (it's only a 32-bit hash). But they do work: you can remove the protections by using these passwords.
Didier Stevens |
DidierStevens 650 Posts ISC Handler Feb 28th 2021 |
Thread locked Subscribe |
Feb 28th 2021 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!