MuddyWater (11-23-2019) – Part 1: VBAProject password and .xls documents

tl;dr – Use compatibility mode  to turn an .xls document into an .xlsm. Then you can unlock the VBAProject at your leisure.


What follows isn’t that difficult, but I thought I’d step through it anyway. It might save someone else some pain (or at least a self-induced forehead slapping moment).

This document came across my feed the other day and thought I would take a look.

muddywater_02.png

You can find that document on any.run. Click on the link below to get a copy for yourself.

————–>  HERE IS THE LINK TO THE DOCUMENT. RIGHT HERE  <——————-

Anyway (lol), the macros could be extracted from it quite easily. I’ll look at them more carefully in a bit. The next thing I did was open the document and enable the macros to see if any new processes like cmd.exe or powershell pop up anywhere. It was unusual that nothing did.

This means we need to take a more careful look at the macros and see what they’re all about. However, opening the document, hitting ALT+F11 to open Visual Basic for Applications gives us its demand for a password.

muddywater_01.png

Of course, that’s no big deal. We’ve dealt with this before. All we need to do is turn the .xls file into a .zip, open it up, extract the vbaProject.bin file, edit it with a hex editor and we’re good.

But no. If we treat this file as a .zip, we end up seeing these next to useless files:

That is because this is an .xls document. Pre-2007, .doc and .xls documents used Microsoft’s proprietary binary format. After 2007, Microsoft used their Open Office XML format to represent documents, charts, and more.

How does this help us? If we can open this .xls document and convert it to an .xlsx (or .xlsm) document, it should allow us to unzip the file and edit that vbaProject.bin file to get around that pesky password. We cannot, however, just change the format of the file by adding an x at the end of .xls. We need to open the document and convert it this way.

muddywater_07.png

muddywater_09.png

Open the document as an archive, navigate down into the \xl\ subfolder and you’ll see vbaProject.bin. Extract that file, open it up with a hex editor, search for the string DPB, replace it with DPx, save changes, and toss the .bin file back into the .xlsm document.

muddywater_08.png

Open the document, ignore errors, hit ALT+F11, right-click on the project, choose VBAProject Properties, click on the Protection tab, and uncheck the “Lock project for viewing” box. Save the document one more time, open it back up, hit ALT+F11 and you’ll see…

muddywater_10.png

Now couldn’t we have just looked at the macros that we dumped earlier? Yes, but the benefit of being able to do this is that we can use the debugging capabilities here to interact and watch how the macros work.

That will be the next post. Thanks for reading!

One thought on “MuddyWater (11-23-2019) – Part 1: VBAProject password and .xls documents

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s