 Hello, Didier Stevensir, senior handler at the Internet Storm Center. In this video, I'm going to show you how to use my tools to crack VBA project passwords of malicious documents. So I developed a new plugin for my Oledom tool. The plugin is called Plugin VBA Project. And when you give it an office document with VBA and that VBA project is password protected, then the plugin will detect this, tell you that it is password protected, and also show you the hashes that you can use with Jonderieber or hashcat to crack the password. But if that password to be cracked is in the public domain list of passwords used by Jonderieber, then my plugin will be able to tell you also the password and because I've included that word list in my plugin. So here it is protected with password 1234 and the plugin has detected this. So I can now, for example, if I want to crack this with hashcat, use this hash. So I can say here hashcat, attack mode 3. So the hash that we are going to use is 110. So the hash that is used for VBA projects is the SHA1 of the password with a salt and that salt is just four bytes and there's a salt that you see here. And the password is also represented in multi byte character set. So if it is just ASCII and then it is represented in ASCII, but if it is more complex like Unicode here, then it is represented in MBCS. So this mode 110, the salt is provided in hexadecimal. So you have to use option X salt. I include these two options here in the output to remember them. And then before I start cracking, I'm going to use a couple of other options here. I don't want the pod file optimized and I'm going to select quiet output that we only see the crack result. And then I just copy paste this hash like this. Okay, and here hash cut has cracked the password 1234. You can also have the case that you are trying to crack a VBA project password that is not in that site at shortlist like this. And then you just get the hashes and of course not the password. So I can do that with John the Ripper here because the password that I selected, my name did it is in the rock you password list. So I can do that. Now for John the Ripper, I need to write this hash in the file. I cannot provide the hash directly as a command line argument. I have to write this to a file and I'm escaping this because of the dollar signs. So demo dot hash and then I can just run John. I'm going to create a pod file here. And the word list that I'm going to use is the rock you and then here demo hash. And as you can see here, it has recovered the password did you. If there is no VBA password, then the plugin will tell you that to like here no password and then the VBA project is not password protected. Now the reason that you would want to crack a VBA project password is just for the fun of it or maybe that you might think that there is some Intel in the name in the password that was selected by the adversaries. To look at the VBA code itself, you don't need that password at all because that password is just there to protect the VBA code by the indicated developer environment by the IDE. The code itself is not encoded or encrypted by that password and it's still readable in clear text. If you run my only dumb tool directly on this document here where the VBA code is password protected, you can see the streams. Now if I select stream three and decompress the VBA code, I can just see the VBA code directly. So that password is no hindrance at all to do the analysis. What I'm showing here is if you have some interest in recovering the password for other purposes, then this can be useful. For your information, that password is stored in the project stream. That project stream is a kind of any file, let me show you, I can dump this like this. So if it is password protected, if the VBA project is password protected, then the ID will be a null grid, all zeros for that grid. If you see that, then you know that it is password protected. And the password hash, so the SHA1 of the password plus salt, that is stored here in that value, DPB. So that contains the hash. This itself is encoded. And my plugin will do the decoding and then show you the hash in the proper format for John the Ripper or for HashCAD. If you select a document that is not password protected, so I mean the VBA project is not password protected, then you can see here you have a grid. This will always change for each document and you can see that the DPB is much shorter. Now the CMG and GC are also values that are important for the password protection. That means that one of them contains the state and the other one the visibility and also encoded.