Didier Stevens

Tuesday 31 March 2020

Update: msoffcrypto-crack.py Version 0.0.5

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of msoffcrypto-crack.py, a tool to crack encrypted MS Office documents, comes with a new option to generated a password dictionary based on the filename of the document.

Option -p allows the user to provide a dictionary file. Use value #f to generate a dictionary based on the filename: This will generate a dictionary of all possible substrings of the filename.

I had to analyze an encrypted spreadsheet yesterday, and the password was in the name, like this:

msoffcrypto-crack_V0_0_5.zip (https)
MD5: 1514DA367DCFF7051AB117266CE65BD3
SHA256: FEEFDD89134083EA19936494C8FCBD05804B3B9C0D4C5FBAFE06578D466B50AE

2 Comments »

  1. Hello,

    to my understanding the tool doesn’t work with the current samples from the malware-bazaar. Is an update to Python3 with PyZipper necessary? For the convinience of analysts, is it possible to add an option to proceed all files in a folder? As the password “Velvet…” is a clear indicator for malware an option to reduce to “no password”, “Velvet…” or “other password” would speed up.

    As a significant share of malware uses the “Velvet…” – password, for me the tool is an ideal first test of emails.

    Comment by No Anon — Monday 28 September 2020 @ 7:35

  2. Indeed, PyZipper would help. But in the mean time, you can use zipdump.py to extract and pipe the file into msoffcrypto-crack.py.

    What do you mean with “an option to reduce”? Can you give an example?

    Comment by Didier Stevens — Monday 28 September 2020 @ 16:28


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.