Bug in decrypting '97 office docs

[deeso]

Unable to decrypt an office '97 document. The decryption fails here: https://github.com/nolze/msoffcrypto-tool/blob/master/msoffcrypto/format/doc97.py#L392

Document file is attached to the email found here: https://www.malware-traffic-analysis.net/2018/08/21/index2.html

Please contact me with questions, and I can provide the raw file for your convenience.

[nolze]

Thank you for your report!

This seems to be an interesting case. The reported file is encrypted .docm file in reality, but MS Word seems to be indifferent to the extension of a file if

• The file is encrpyted in the OOXML (ECMA-376) way (those which with EncryptionInfo etc.), or
• The file is a plain OOXML file,

so the attacker can use .doc extension instead of .docm (while it matters to LibreOffice.) This article was informative for me: https://www.securityweek.com/attackers-disguise-macro-malware-renaming-files

The fix (in PR #18 and so in v4.6.3) for msoffcrypto-tool is just to try looking for EncryptionInfo stream first. I guess that MS Word does the same thing.

For the record, it was curious that the reported file has extra unused MS-DOC streams. Getting off topic, I haven't tried but it might be possible to create MS-DOC file encrpyted in the OOXML way.

[nolze]

See also @deeso's comment in #18.