Analyzing Malicious Document Help

[DrDisexon]

Hi Everyone, I have tried analyzing this malicious document https://bazaar.abuse.ch/sample/4bbd1fff32b30b86b1f549be8ca06d565ebaa82c0d19f0df4897fdb0855ba7d5/

I have tried changing DPB to DPx and tried hooking modules  basically follow this article https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project But for some reason I can't seem to remove the password protection to view the macro. Am I missing something ? Can someone please help me ?

Edited November 9, 2022 by drdisexon
inserting link

[ChickenKing]

first thing I noticed is that the guide says it is tested and works on:
Excel 2007
Excel 2010
Excel 2013 - 32 bit version
Excel 2016 - 32 bit version
---
are you running the document on a different version?

[DrDisexon]

4 minutes ago, ChickenKing said:

first thing I noticed is that the guide says it is tested and works on:
Excel 2007
Excel 2010
Excel 2013 - 32 bit version
Excel 2016 - 32 bit version
---
are you running the document on a different version?

No, I'm running Excel 2007

[ChickenKing]

Hm, yeah I'm not sure. I ran this in my sandbox and I couldn't get it to work. I'll plug away at it for a bit longer see if I can find anything but I'm not having any luck so far. I'm pretty familiar with excel macros and maldocs so I'm not sure why this isn't working. At a glance it looks like it SHOULD work, but it isn't. sorry!

[DrDisexon]

7 minutes ago, ChickenKing said:

Hm, yeah I'm not sure. I ran this in my sandbox and I couldn't get it to work. I'll plug away at it for a bit longer see if I can find anything but I'm not having any luck so far. I'm pretty familiar with excel macros and maldocs so I'm not sure why this isn't working. At a glance it looks like it SHOULD work, but it isn't. sorry!

First password I see is VelvetSweatshop and then for some reason it doesn't do a thing, And from the malwarebazaar it shows that it is exploiting CVE-2017-11882 but I'm having hard time to find the macros😅

[ChickenKing]

Just now, DrDisexon said:

First password I see is VelvetSweatshop and then for some reason it doesn't do a thing, And from the malwarebazaar it shows that it is exploiting CVE-2017-11882 but I'm having hard time to find the macros😅

I was able to run the modules but never even got a password so, you did better than me! Luckily this seems like the malware only works on ancient versions of excel anyways. It didn't detonate in a win10 sandbox lol.

[DrDisexon]

8 minutes ago, ChickenKing said:

I was able to run the modules but never even got a password so, you did better than me! Luckily this seems like the malware only works on ancient versions of excel anyways. It didn't detonate in a win10 sandbox lol.

It didn't worked for me as well but I run the tool msoffcrypto-crack, then I found the password, which is the default password of ms office but I don't even know that the password works or not, tried in sheet 2 didn't show anything error. View  the macro doesn't contain anything, for sheet 3 can't bypass the password protection. Btw this is the fresh sample I downloaded yesterday. No idea what is going on

Edited November 9, 2022 by DrDisexon