Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Encrypted Maldoc, Wrong Password SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Encrypted Maldoc, Wrong Password

Reader Chad submitted a malicious Office document, delivered as an email attachment. The maldoc was encrypted, and the password was mentioned in the email: PETROFAC.

But that wasn't the correct password. Luckily, Chad found and shared the correct password with us: petrofac.

The good news is that the recipient won't be able to open the document, and might even call the helpdesk. The user's machine won't get infected, and the SOC might get alerted indirectly by the user.

However, as an analyst, you want to be able to analyze the document to recover IOCs and check the logs for sign of compromise (other maldocs, with a valid password and using the same IOCs might have passed the company's defenses).

You can quickly crack the password with John the Ripper or Hashcat, but there are corporations were such tools are even prohibited for the blue teams.

Some time ago, I created a Python tool to help with encrypted Office maldocs: This maldoc inspired me to make a small change to my tool: add an optional rule to perform case toggling when working through a password list.

For this sample, using option -r an providing a password list including PETROFAC, my tool will test PETROFAC and petrofac. There's also an option to provide the email body to extract potential passwords.


Didier Stevens
Senior handler
Microsoft MVP


479 Posts
ISC Handler
Sep 30th 2019
Fortunately, Chad found and imparted the right secret word to us: petrofac. Fortunately the beneficiary won't have the option to open the secret phrase, and may even call the helpdesk. The client's machine won't get tainted, and the SOC may get cautioned in a roundabout way by the client.

Sign Up for Free or Log In to start participating in the conversation!