Didier Stevens

Monday 20 July 2020

Cracking VBA Project Passwords

Filed under: Encryption,maldoc — Didier Stevens @ 0:00

VBA projects can be protected with a password. The password is not used to encrypt the content of the VBA project, it is just used as protection by the VBA IDE: when the password is set, you will be prompted for the password.

Tools like oledump.py are not hindered by a VBA password, they can extract VBA code without problem, as it is not encrypted.

The VBA password is stored as the DPB value of the PROJECT stream:

You can remove password protection by replacing the values of ID, CMG, DPB and GC with the values of an unprotected VBA Project.

Thus a VBA password is no hindrance for staticanalysis.

However, we might still want to recover the password, just for the fun of it. How do we proceed?

The password itself is not stored inside the PROJECT stream. In stead, a hash is stored: the SHA1 hash of the password (MBCS representation) + 4 byte salt.

Then, this hash is encrypted (data encryption as described in MS-OVBA and the hexadecimal representation of this encrypted hash is the value of DPB.

This data encryption is done according to an algorithm that does not use a secret key. I wrote an oledump.py plugin (plugin_vbaproject.py) to decrypt the hash and display it in a format suitable for John the Ripper and Hashcat:

The SHA1 of a password + salt is a dynamic format in John the Ripper: dynamic_24.

For Hashcat, it is mode 110 and you also need to use option –hex-salt.

Remark that the password passed as argument to the SHA1 function is represented in Multi Byte Character Set format. This means that ASCII characters are represented as bytes, but that non-ASCII characters might be represented with more than one byte, depending on the VBA project’s code page.



  1. Thank you, analysing several douzend MS Office malware from the Baazar there were several with VBA-password.

    The following are interessting from my point of view: either for obfuscation or (my) difficuties to analyse:

    docm: write MZ in memory

    Heodo: docx,read PowerShell from Stream ‘o’, malformed zip

    PPT, the ony one of a serious with good obfuscation

    xlsm: Obfuscation with rnd()

    xlsm, purged

    doc, Java-script

    xlsx, sheet password: AAAABABABBAF, 6 shapes, no code visible with LibreOffice


    xlsx, XMLHttp, url not readable

    xlsx, Magic-Bytes: d0cf 11e0 a1b1 1ae1, Sheet-password: AAAAAABAAABi, 6 Shapes, Where is the code?

    docm, nice obfuscated

    Comment by No(anonym) — Friday 24 July 2020 @ 14:50

  2. […] that the VBA code itself is not encoded/encrypted, it is stored in cleartext (although compressed) [3]. When a document with a password protected VBA project is opened, the VBA macros will execute […]

    Pingback by Epic Manchego – atypical maldoc delivery brings flurry of infostealers – NVISO Labs — Tuesday 1 September 2020 @ 11:33

  3. Hi,
    This is absolutely amazing work, I was wondering whether you have written or know of a way to do the same with MS Access?

    Comment by Sudo_oth — Friday 5 March 2021 @ 14:46

  4. No

    Comment by Didier Stevens — Saturday 6 March 2021 @ 13:23

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.