Didier Stevens

Monday 20 July 2020

Cracking VBA Project Passwords

Filed under: Encryption,maldoc — Didier Stevens @ 0:00

VBA projects can be protected with a password. The password is not used to encrypt the content of the VBA project, it is just used as protection by the VBA IDE: when the password is set, you will be prompted for the password.

Tools like oledump.py are not hindered by a VBA password, they can extract VBA code without problem, as it is not encrypted.

The VBA password is stored as the DPB value of the PROJECT stream:

You can remove password protection by replacing the values of ID, CMG, DPB and GC with the values of an unprotected VBA Project.

Thus a VBA password is no hindrance for staticanalysis.

However, we might still want to recover the password, just for the fun of it. How do we proceed?

The password itself is not stored inside the PROJECT stream. In stead, a hash is stored: the SHA1 hash of the password (MBCS representation) + 4 byte salt.

Then, this hash is encrypted (data encryption as described in MS-OVBA 2.4.3.2) and the hexadecimal representation of this encrypted hash is the value of DPB.

This data encryption is done according to an algorithm that does not use a secret key. I wrote an oledump.py plugin (plugin_vbaproject.py) to decrypt the hash and display it in a format suitable for John the Ripper and Hashcat:

The SHA1 of a password + salt is a dynamic format in John the Ripper: dynamic_24.

For Hashcat, it is mode 110 and you also need to use option –hex-salt.

Remark that the password passed as argument to the SHA1 function is represented in Multi Byte Character Set format. This means that ASCII characters are represented as bytes, but that non-ASCII characters might be represented with more than one byte, depending on the VBA project’s code page.

 

1 Comment »

  1. Thank you, analysing several douzend MS Office malware from the Baazar there were several with VBA-password.

    The following are interessting from my point of view: either for obfuscation or (my) difficuties to analyse:

    docm: write MZ in memory
    2deb003f7297cb6b40320e38aae81f62e338512bdf0acb27fb3ccdf7386b16aa

    Heodo: docx,read PowerShell from Stream ‘o’, malformed zip
    bf4fffe027c8d6b7f301f79506892c1666c59fbb0e01ee66e6326eae28c6c66d

    PPT, the ony one of a serious with good obfuscation
    9bd432d55037ffe62d2763a33bc1944be77cb4f31173ce5ea14f98c2dfa38665

    xlsm: Obfuscation with rnd()
    99842250e5da8f987227c22d864ea6552cbf176710cd5c45f430bc2765cbf534

    xlsm, purged
    966d24f3e5616ad72402614d846d892fd5756ade55219ca6f3a5440259fc8594

    doc, Java-script
    ddfedf6178d86d3372922620116d8c973e0627b5ac1ef087cc7c15cfcc452480

    xlsx, sheet password: AAAABABABBAF, 6 shapes, no code visible with LibreOffice
    b23aad76a523c780d42015490cff3209608454c016849f547e0584d78eaff4bb.xlsx

    doc,Hyperlink
    1cb15aebd509985de8a7792a474660cdecf8ab1cb008b86abcb3b5971b7a4480

    xlsx, XMLHttp, url not readable
    edbb25dfdfe594eb597484e31968fafa0462e81b203497aff0f5a60879860e53

    xlsx, Magic-Bytes: d0cf 11e0 a1b1 1ae1, Sheet-password: AAAAAABAAABi, 6 Shapes, Where is the code?
    7fa94fbd85d8ff81131e2a049e55df3b7805ad8e258974d47f360dbfb4ea03d9xlsx

    docm, nice obfuscated
    3d9ded92dc9eb820ef7ea68d7f844cd217b7dbebc643d58048565b922736b43f

    Comment by No(anonym) — Friday 24 July 2020 @ 14:50


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.