7

I got a question that I thought would be simple but it is proving to be more difficult that I thought it would be.

I got a malicious password protected Word document that I want to analyze for IoCs. It is encrypted so all I can see is "DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace" when I try to analyze it with oledump or similar tools.

I know the password but I would rather not open it in a word processor to remove the password. Does anyone know of any tools that I can use to decrypt the document without opening it up in a word processor?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user148614
  • 73
  • 1
  • 1
  • 5

4 Answers4

7

This one decrypts password-protected DOCX documents and has no dependencies apart from Python crypto library https://github.com/nolze/ms-offcrypto-tool

kravietz
  • 412
  • 2
  • 7
2

This python tool (https://github.com/herumi/msoffice) demonstrates how to command-line-decrypt password-protected Word documents.

You can also use free Password Cracker Tools (e.g. https://www.lifewire.com/free-word-password-recovery-tools-2626185).

You can even use an online service for this (e.g. http://www.decryptum.com/ with free preview).

But in your case with malware infected documents I recommend a standalone PC with a sandbox to just open the document in word.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user689443
  • 88
  • 4
1

Python might have an Office API. You could do it in a Linux virtual machine while running Python in firejail.

If you like to live dangerously.

user148650
  • 126
  • 3
1

Other answers explain how to remove the password in the special case of a docx file. IMHO, it is not enough to answer the underlying question: what does that document contains, because even after the password has been removed, you still have to open the document to read it.

Anyway, malicious Word document can be understood in at least 2 ways:

  • a word document containing malicious macros
  • a specially crafted file targetting a vulnerability in one version of Microsoft Word.

First acception will lead to a rather simple way: just configure word to not process any macro and then open the file.

In second acception, it will really depend on the actual format, but the general guidance is: open it with something that does not rely on Word code. For example, LibreOffice or Oracle OpenOffice are known to be able to process Microsoft Word formats. As they do not share the same code base, it is unlikely that an exploit targetted at Microsoft Word could affect them - in particular, they are a good alternative for ignoring any macro.

You can also use libraries able to process Word documents, but you should first wonder whether they fully implement the specification from scratch or whether they rely on a COM or .NET interface to a Microsoft engine. Do not even try to use them in the latter case!

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • The goal is to extract and examine the macros. However, the file is currently encrypted with a password. So when I try to analyze it all I can see is "DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace". My end goal is to analyze the VBA/VBS script, identify the method of attack, C2 servers and malware hosting servers. – user148614 May 30 '17 at 18:05