Hello, welcome to the Tuesday, February 23rd, 2021 edition of the Sansonet Stormer's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today we got a diary from DDA talking about protected and encrypted Excel documents. Now he's using an Excel file that

Brad looked at before. Brad just ran into the dynamic analysis of it, which of course bypass

a lot of the complexities of dealing with protection and encryption. DidD wanted to actually look at the source code

and do a more static analysis

and all sort of step through the code

and see the actual code.

In order to do this, well,

there are actually two issues here.

The protection of Excel documents and the encryption.

Protecting the document usually just prevents it from being altered, while encryption actually

well, encrypts a document so you can no longer see it. An attacker, of course, uses protection

in order to prevent some static code analysis

techniques. Incription, on the other hand, the attacker still wants the spreadsheet to execute.

So one common trick here is that encryption uses a special password,

Velvet Sweatshop.

Wellwood Sweat Shop, old trick in Microsoft Office.

In very old versions of Microsoft Office,

this password was used to essentially achieve protection of office documents.

So it was a hard-coded password.

It was automatically decrypted whenever the document was open.

So this essentially what the attacker does here.

...