Didier Stevens

Monday 31 December 2018

New Tool: msoffcrypto-crack.py

Filed under: Encryption,maldoc,My Software — Didier Stevens @ 0:00

This is a new tool to recover the password of encrypted MS Office documents. I quickly put together this script to help with the analysis of encrypted, malicious documents.

This tool relies completely on Python module msoffcrypto to decrypt MS Office documents.

Since this is a Python tool based on a Python library, don’t except fast password recovery. This is more a convenience program.

It can recover passwords using a build-in password list, or you can provide your own list via option -p.

The tool can also decrypt the encrypted MS Office document if the password is recovered: used option -o to achieve this. Otherwise, the tool just displays the recovered password.

Like many of my tools, it can take its input from stdin and provide the decrypted document via stdout.

It’s developed with Python 2, and also tested on Python 3.

Read the man page for all the details: option -m.

msoffcrypto-crack_V0_0_1.zip (https)
MD5: F67060E0DE62727A1A69D0FD6F39013A
SHA256: 1466B94B56595BA0B91F0A2606F699E1D737E964F3F1A4DFDF7EAA47843DD063

4 Comments »

  1. […] New Tool: msoffcrypto-crack.py […]

    Pingback by Overview of Content Published in December | Didier Stevens — Tuesday 1 January 2019 @ 0:01

  2. What’s about the standard password “VelvetSweatshop”? Please add it to the list.
    BTW: thanks for sharing your software, it is very usefull!

    Comment by Anonymous — Tuesday 1 January 2019 @ 16:44

  3. Yep, I already have a new version with extra features, and it includes password VelvetSweatshop.

    Comment by Didier Stevens — Tuesday 1 January 2019 @ 19:08

  4. […] this update of msoffcrypto-crack.py, two new options were […]

    Pingback by Update: msoffcrypto-crack.py Version 0.0.2 | Didier Stevens — Monday 7 January 2019 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.