Didier Stevens

Tuesday 31 March 2020

Update: msoffcrypto-crack.py Version 0.0.5

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of msoffcrypto-crack.py, a tool to crack encrypted MS Office documents, comes with a new option to generated a password dictionary based on the filename of the document.

Option -p allows the user to provide a dictionary file. Use value #f to generate a dictionary based on the filename: This will generate a dictionary of all possible substrings of the filename.

I had to analyze an encrypted spreadsheet yesterday, and the password was in the name, like this:

msoffcrypto-crack_V0_0_5.zip (https)
MD5: 1514DA367DCFF7051AB117266CE65BD3
SHA256: FEEFDD89134083EA19936494C8FCBD05804B3B9C0D4C5FBAFE06578D466B50AE

4 Comments »

  1. Hello,

    to my understanding the tool doesn’t work with the current samples from the malware-bazaar. Is an update to Python3 with PyZipper necessary? For the convinience of analysts, is it possible to add an option to proceed all files in a folder? As the password “Velvet…” is a clear indicator for malware an option to reduce to “no password”, “Velvet…” or “other password” would speed up.

    As a significant share of malware uses the “Velvet…” – password, for me the tool is an ideal first test of emails.

    Comment by No Anon — Monday 28 September 2020 @ 7:35

  2. Indeed, PyZipper would help. But in the mean time, you can use zipdump.py to extract and pipe the file into msoffcrypto-crack.py.

    What do you mean with “an option to reduce”? Can you give an example?

    Comment by Didier Stevens — Monday 28 September 2020 @ 16:28

  3. Hello,
    I receive following message when apply – p rockyou.txt. Mac OS and windows both same msg

    Traceback (most recent call last):
    File “/Users/andrewkuegler/Desktop/msoffcrypto-crack.py”, line 3795, in
    Main()
    File “/Users/andrewkuegler/Desktop/msoffcrypto-crack.py”, line 3789, in Main
    Crack(args[0], options)
    File “/Users/andrewkuegler/Desktop/msoffcrypto-crack.py”, line 3730, in Crack
    total = len(passwords)
    TypeError: object of type ‘NoneType’ has no len()

    Comment by Hank — Wednesday 1 September 2021 @ 8:53

  4. I assume you use 32-bit Python?

    Comment by Didier Stevens — Thursday 2 September 2021 @ 16:56


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.