DrDisexon Posted November 9, 2022 Share Posted November 9, 2022 (edited) Hi Everyone, I have tried analyzing this malicious document https://bazaar.abuse.ch/sample/4bbd1fff32b30b86b1f549be8ca06d565ebaa82c0d19f0df4897fdb0855ba7d5/ I have tried changing DPB to DPx and tried hooking modules basically follow this article https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project But for some reason I can't seem to remove the password protection to view the macro. Am I missing something ? Can someone please help me ? Edited November 9, 2022 by drdisexon inserting link 1 Link to comment Share on other sites More sharing options...
0 ChickenKing Posted November 9, 2022 Share Posted November 9, 2022 first thing I noticed is that the guide says it is tested and works on: Excel 2007 Excel 2010 Excel 2013 - 32 bit version Excel 2016 - 32 bit version --- are you running the document on a different version? Link to comment Share on other sites More sharing options...
0 DrDisexon Posted November 9, 2022 Author Share Posted November 9, 2022 4 minutes ago, ChickenKing said: first thing I noticed is that the guide says it is tested and works on: Excel 2007 Excel 2010 Excel 2013 - 32 bit version Excel 2016 - 32 bit version --- are you running the document on a different version? No, I'm running Excel 2007 Link to comment Share on other sites More sharing options...
0 ChickenKing Posted November 9, 2022 Share Posted November 9, 2022 Hm, yeah I'm not sure. I ran this in my sandbox and I couldn't get it to work. I'll plug away at it for a bit longer see if I can find anything but I'm not having any luck so far. I'm pretty familiar with excel macros and maldocs so I'm not sure why this isn't working. At a glance it looks like it SHOULD work, but it isn't. sorry! Link to comment Share on other sites More sharing options...
0 DrDisexon Posted November 9, 2022 Author Share Posted November 9, 2022 7 minutes ago, ChickenKing said: Hm, yeah I'm not sure. I ran this in my sandbox and I couldn't get it to work. I'll plug away at it for a bit longer see if I can find anything but I'm not having any luck so far. I'm pretty familiar with excel macros and maldocs so I'm not sure why this isn't working. At a glance it looks like it SHOULD work, but it isn't. sorry! First password I see is VelvetSweatshop and then for some reason it doesn't do a thing, And from the malwarebazaar it shows that it is exploiting CVE-2017-11882 but I'm having hard time to find the macros😅 1 Link to comment Share on other sites More sharing options...
0 ChickenKing Posted November 9, 2022 Share Posted November 9, 2022 Just now, DrDisexon said: First password I see is VelvetSweatshop and then for some reason it doesn't do a thing, And from the malwarebazaar it shows that it is exploiting CVE-2017-11882 but I'm having hard time to find the macros😅 I was able to run the modules but never even got a password so, you did better than me! Luckily this seems like the malware only works on ancient versions of excel anyways. It didn't detonate in a win10 sandbox lol. Link to comment Share on other sites More sharing options...
0 DrDisexon Posted November 9, 2022 Author Share Posted November 9, 2022 (edited) 8 minutes ago, ChickenKing said: I was able to run the modules but never even got a password so, you did better than me! Luckily this seems like the malware only works on ancient versions of excel anyways. It didn't detonate in a win10 sandbox lol. It didn't worked for me as well but I run the tool msoffcrypto-crack, then I found the password, which is the default password of ms office but I don't even know that the password works or not, tried in sheet 2 didn't show anything error. View the macro doesn't contain anything, for sheet 3 can't bypass the password protection. Btw this is the fresh sample I downloaded yesterday. No idea what is going on Edited November 9, 2022 by DrDisexon Link to comment Share on other sites More sharing options...
Question
DrDisexon
Hi Everyone, I have tried analyzing this malicious document https://bazaar.abuse.ch/sample/4bbd1fff32b30b86b1f549be8ca06d565ebaa82c0d19f0df4897fdb0855ba7d5/
I have tried changing DPB to DPx and tried hooking modules basically follow this article https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project But for some reason I can't seem to remove the password protection to view the macro. Am I missing something ? Can someone please help me ?
Edited by drdisexoninserting link
Link to comment
Share on other sites
6 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now