Password Protected Documents

[dsplice]

Would like the ability to operate on documents that have been password protected (open password). Have had many documents lately that are sent encrypted along with the password (no password recovery required).

dsplice

[decalage2]

Hi @dsplice, indeed that would be useful, but it seems to be quite hard to implement in pure python for automation. (at least I haven't tried)

You might try other tools such as:

• https://github.com/nolze/ms-offcrypto-tool (requires pycrypto)
• https://github.com/herumi/msoffice/

Please tell me if you succeed with one of those tools, maybe it could be integrated with oletools.

[dsplice]

I will look into it!

[dsplice]

I managed to get it to work. Utilizing nolze code, and adding in the ability to generate the secret key via the password. Pull request has been issued for his project to add my code. (forked at https://github.com/dsplice/ms-offcrypto-tool)

[decalage2]

Great! If that works, maybe this decryption feature could be added to oletools? For example, olevba can extract macros from most encrypted documents, except if they are using the latest encryption formats. That would be a very useful addition.

I'm reopening this ticket to keep track of this idea.

[LeMurphant]

I would be interested in simply knowing if an office document is encrypted in the context of spam filtering.

Using oleid on files malicious files for which libreoffice asks for a password returns Encrypted:False, whether the filetype is CDFV2_Encrypted or just plain Composite Document File V2 Document. Am I using the tool incorrectly? Are some encryption methods not recognised?

I have samples but since they are malicious I am unsure if I should upload them.

[decalage2]

Hi @LeMurphant, I have not worked on oleid for a long time, so yes there might be cases that are not handled properly.

You may always share malicious samples in zip files with a password such as "infected". You may send me an e-mail or use a file transfer site.

[dsplice]

If you are looking for a 'programmicly' way of doing it, you can always open up the archive and test for the presence of 'EncryptionInfo'.

Also, I have noticed cases where oleid indicates no encryption. Let me dig something up here.

Derek

On Wed, Jun 14, 2017 at 12:55 PM, Philippe Lagadec <notifications@github.com

wrote:

Hi @LeMurphant https://github.com/lemurphant, I have not worked on oleid for a long time, so yes there might be cases that are not handled properly.

You may always share malicious samples in zip files with a password such as "infected". You may send me an e-mail or use a file transfer site.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/decalage2/oletools/issues/166#issuecomment-308525869, or mute the thread https://github.com/notifications/unsubscribe-auth/AB1LCgTM69l7GV76vjAZUyMhiqt-dE6dks5sECyrgaJpZM4NH7Kn .

[dsplice]

Test.zip Ok, even my sample document saved using Word 2010 shows up as unencrypted. I have included it zipped up with the password above (even though it is definitely NOT infected :)

python ./oleid.py ~/Test.docx oleid 0.51 - http://decalage.info/oletools THIS IS WORK IN PROGRESS - Check updates regularly! Please report any issue at https://github.com/decalage2/oletools/issues

Filename: /home/t906518/Test.docx +-------------------------------+---------+ | Indicator | Value | +-------------------------------+---------+ | OLE format | True | | Has SummaryInformation stream | False | | Application name | unknown | | Encrypted | False | | Word Document | False | | VBA Macros | False | | Excel Workbook | False | | PowerPoint Presentation | False | | Visio Drawing | False | | ObjectPool | False | | Flash objects | 0 | +-------------------------------+---------+

On Wed, Jun 14, 2017 at 1:11 PM, Derek Armstrong < derek.v.armstrong@gmail.com> wrote:

If you are looking for a 'programmicly' way of doing it, you can always open up the archive and test for the presence of 'EncryptionInfo'.

Also, I have noticed cases where oleid indicates no encryption. Let me dig something up here.

Derek

On Wed, Jun 14, 2017 at 12:55 PM, Philippe Lagadec < notifications@github.com> wrote:

Hi @LeMurphant https://github.com/lemurphant, I have not worked on oleid for a long time, so yes there might be cases that are not handled properly.

You may always share malicious samples in zip files with a password such as "infected". You may send me an e-mail or use a file transfer site.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/decalage2/oletools/issues/166#issuecomment-308525869, or mute the thread https://github.com/notifications/unsubscribe-auth/AB1LCgTM69l7GV76vjAZUyMhiqt-dE6dks5sECyrgaJpZM4NH7Kn .

[decalage2]

OK, I think it is simply because those files are recent OpenXML documents (docx) using the new "strong encryption" format introduced in Office 2010 or 2007. Basically, the actual docx (xml files within a zip) is encrypted and stored in an OLE2 container file. This is completely different from the legacy Word 97-2003 documents which were encrypted directly into their OLE2 format. The current oleid only supports the latter. I will need to update oleid to look for the streams corresponding to the newer format.

[dsplice]

Ah, that makes total sense with what I have seen. I know some of the other tools out there can do both types so there are examples to at least draw inspiration from.

[chazomaticus]

Hi, I found this bug when I was looking into an issue where oleid doesn't always report that password-protected docs are encrypted. I too have noticed that oleid won't find any encryption in office docs in the newer openxml format. One quick note about that: it'd be nice if oleid gave an indication about the format of document. Right now it reports OLE format as True for both older OLE2 docs and newer openxml docs, making it hard to know whether the doc doesn't have encryption, or if it's just in a newer format and the tool isn't detecting encryption at all.

I have a sample that I believe is in the older OLE2 format. It's definitely password-protected, which I believe implies it's also encrypted. oleid fails to detect its encryption:

$ oleid virus.doc 
oleid 0.51 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

Filename: virus.doc
+-------------------------------+---------+
| Indicator                     | Value   |
+-------------------------------+---------+
| OLE format                    | True    |
| Has SummaryInformation stream | True    |
| Application name              | unknown |
| Encrypted                     | False   |
| Word Document                 | False   |
| VBA Macros                    | False   |
| Excel Workbook                | False   |
| PowerPoint Presentation       | False   |
| Visio Drawing                 | False   |
| ObjectPool                    | False   |
| Flash objects                 | 0       |
+-------------------------------+---------+

$ file virus.doc 
virus.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Locale ID: 1033, Comments: oikxynoiejazzkzzwodepoalw, Subject: lyruzxjb, Title: batqknfiyivjeceaflha, Author: labyo

Is this indeed a case where oleid should be able to detect encryption, but isn't? I'm happy to help debug in any way. Thanks!

INFECTED-doc-oleid-doesnt-report-encryption--zip-pass-is-infected--doc-pass-is-5558.zip

[rsaccani]

sample.zip Here is a sample of password protected doc file for which oleid reports "OLE format" = True, "Encrypted" = False and "VBA Macros" = False.

The password for the zip file is "infected". The encryption password for the file is 123456

[decalage2]

Thanks a lot for your sample files. I finally merged #194 from @samiraguiar, and it detects encryption properly on all the samples.

[decalage2]

Another encrypted malware sample with VBA macros: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/spoof-us-district-court-emails-spreading-sigma-ransomware/

[alexander-hanel]

More samples from this campaign can be downloaded from malware-traffic-analysis [zip]. I just did a pip update and here is output from oleid.

11287a09f738703f84e2f4117e7031f88f17ea2d6ef98272c2a4ab617ddfd8ce

+-------------------------------+---------+
| Indicator                     | Value   |
+-------------------------------+---------+
| OLE format                    | True    |
| Has SummaryInformation stream | True    |
| Application name              | unknown |
| Encrypted                     | False   |
| Word Document                 | False   |
| VBA Macros                    | False   |
| Excel Workbook                | False   |
| PowerPoint Presentation       | False   |
| Visio Drawing                 | False   |
| ObjectPool                    | False   |
| Flash objects                 | 0       |
+-------------------------------+---------+

[samiraguiar]

@alexander-hanel can you upload the original document so I can try to patch oleid?

[alexander-hanel]

@samiraguiar sorry I posted the wrong link.. Here is a couple of documents you can use. The password for the zip is "infected"

__@__:/tmp$ wget https://www.malware-traffic-analysis.net/2018/03/14/2018-03-13-Sigma-Ransomware-emails-and-malware.zip
__@__:/tmp$ 7z x 2018-03-13-Sigma-Ransomware-emails-and-malware.zip
__@__:/tmp$ oleid attachments/Gary\ Resume.doc
oleid 0.51 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

Filename: attachments/Gary Resume.doc
+-------------------------------+---------+
| Indicator                     | Value   |
+-------------------------------+---------+
| OLE format                    | True    |
| Has SummaryInformation stream | True    |
| Application name              | unknown |
| Encrypted                     | False   |
| Word Document                 | False   |
| VBA Macros                    | False   |
| Excel Workbook                | False   |
| PowerPoint Presentation       | False   |
| Visio Drawing                 | False   |
| ObjectPool                    | False   |
| Flash objects                 | 0       |
+-------------------------------+---------+

[samiraguiar]

Thanks, @alexander-hanel. I have tested every file from the attachments directory and oleid reported all of them as encrypted. But from what I could see the version installed by pip does not have that fix yet, so that's why it failed for your samples.

[decalage2]

Right, it's in the dev version, but I haven't released oletools 0.53 to PyPI yet.

[decalage2]

See also #329

[decalage2]

Implemented in #403