Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug in decrypting '97 office docs #17

Closed
deeso opened this issue Sep 12, 2018 · 2 comments
Closed

Bug in decrypting '97 office docs #17

deeso opened this issue Sep 12, 2018 · 2 comments
Labels

Comments

@deeso
Copy link

deeso commented Sep 12, 2018

Unable to decrypt an office '97 document. The decryption fails here: https://github.com/nolze/msoffcrypto-tool/blob/master/msoffcrypto/format/doc97.py#L392

Document file is attached to the email found here: https://www.malware-traffic-analysis.net/2018/08/21/index2.html

Please contact me with questions, and I can provide the raw file for your convenience.

nolze added a commit that referenced this issue Sep 13, 2018
@nolze nolze mentioned this issue Sep 13, 2018
@nolze nolze closed this as completed in #18 Sep 13, 2018
nolze added a commit that referenced this issue Sep 13, 2018
@nolze
Copy link
Owner

nolze commented Sep 13, 2018

Thank you for your report!

This seems to be an interesting case. The reported file is encrypted .docm file in reality, but MS Word seems to be indifferent to the extension of a file if

  • The file is encrpyted in the OOXML (ECMA-376) way (those which with EncryptionInfo etc.), or
  • The file is a plain OOXML file,

so the attacker can use .doc extension instead of .docm (while it matters to LibreOffice.) This article was informative for me: https://www.securityweek.com/attackers-disguise-macro-malware-renaming-files

The fix (in PR #18 and so in v4.6.3) for msoffcrypto-tool is just to try looking for EncryptionInfo stream first. I guess that MS Word does the same thing.

For the record, it was curious that the reported file has extra unused MS-DOC streams. Getting off topic, I haven't tried but it might be possible to create MS-DOC file encrpyted in the OOXML way.

@nolze
Copy link
Owner

nolze commented Sep 14, 2018

See also @deeso's comment in #18.

@nolze nolze removed the in progress label Sep 14, 2018
@nolze nolze added the bug label Apr 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants