 Hello, I'm BDS Davens, a senior handler with the InternetStorm Center. Recently, I analyzed a reader-submitted malicious document that was encrypted and I used one of my new tools, a convenient tool, to help you with recovering the password of the encrypted password if you don't have it, so that you can analyze that encrypted document. So I'm going to show you this here in this video. So the tool is called msoffcrypto.dashcrack, msoffcrypto is the module, the Python module that I use that supports crypto for Microsoft Office, and it has several options. So with AuditDump, let's first look at our encrypted malicious document, and then you get a stream encrypted package. This actually contains the encrypted document, and encryption info contains information about type of encryption that was used. So if you see this, you know you are dealing with an encrypted document, and so you cannot immediately see the macros in here. You first have to decrypt it, and then you can look for the macros. I also have a plugin, PluginOfficeCrypto, that gives you a bit more information about the encryption that is being used, and here it is version 3.2, which is a standard encryption, and the latest ones that are being used is for example 4.4 agile encryption. So I'm going to use my tool msoffcrypto.dashcrack on cryptid here, and here after a second or two, it has found the password. So that's because this malicious document, it's a real malicious document, is encrypted with a simple password 1, 2, 3, 4, and msoffcrypto has a built-in list that I took from a Ripper, a built-in list of popular passwords, and 1, 2, 3, 4 is one of them. So now we know that is the password, and then we can run our tool again and say that it needs to decrypt the document and write it to disk. So not only find the password, but also decrypt it. And I could for example say doc.vir, output it to disk with option O, but as you may be know I like to pipe output into new tools, into other tools, so I'm going to say output to dash and that instructs msoffcrypto to output the document to standard out, and then I can pipe this into Oledump, like this, and now I can see the macros. So it's in A3, and here you have the macro with the URL. So that analysis was quick, the macro is not obfuscated, and we can just use that convenience tool msoffcryptocrack to quickly recover the password if we don't know it. So like I said, it works with a built-in list. You can also provide your own list, your own password list with option P. And here I have the rocku list, and as you can see it is gzip compressed, so you can pass it a list, a text file of passwords, but you can also have it gzip compressed and then the tool will decompress it for you. Let's run this. Now this will at first take some time. It is reading the password list and compressing it in memory. OK, so it already tested the first 100 passwords, and you can see it will take quite some time. This is more than 10 days that it will need to try all those passwords, so it illustrates here that this is indeed a convenience tool. It helps you if it is a popular password, but if it is a rather obscure password and you want to use rocku list, then it will take a long time, and then you are far better off using jonderripper or hashcat. So let me interrupt this. OK. So what will often happen with this kind of malicious encrypted document is that you will receive them via mail. Well actually, a user in your organization will receive it via email, the document attached to it, and the password will be mentioned in the email. And yeah, it can be the case that you will receive the attachment, the document, but that you don't receive the mail so that you don't know the password here. Then you can use my tool. If you have the email, then you can try to look for the password and provide it to my tool, or else there is also an option that you give just all the text, all the strings that are inside the email, and then my tool will extract all the possible passwords and use that. So I run odidump on hiring, and this is the email, and here you can see all the streams. So what I'm going to do is select all the streams and then use option s uppercase s. This will extract all the strings, and I will write this to strings.txt. Let me grab for password in string.txt, and you will see inside the mail there is a message that says the password is 1234. What you can do with MS of CryptoCrack is say option e to extract possible passwords from a string text here, and then do crypt it, and then it decrypts it for you because it found that password. Let me do that again because you might notice that this is quicker than using the built-in list. See it's a bit quicker if I use the built-in list like this, it takes just a bit longer. And that's because I have written an algorithm in MS of CryptoCrack so that it looks for the keyword password or words between double quotes or single quotes, and if it finds that then it extracts also of course those words, but it puts them at the beginning of the list. So here 1234 is at the beginning of the list, it's one of the words in the list and that's why cracking it goes quickly. And then finally, if you have recovered the password and it took you for example 10 seconds and you don't want to run each time the tool for 10 seconds, then sorry you can provide the password with option c, c for cracked password 1234 like this, and then it has decrypted the document for you so I can dump this to standard out and pipe this again into all the dump and here you have your streams with the macros.