InfoSec LAB

Search_Excel_File

Created: 3 min read

Phishing_Attempt.xlsx

In the following sections, I will attempt to further analyze the Excel file

┌──(kali㉿kali)-[~/…/smb/RedirectedFolders$/edgar.jacobs/Desktop]
└─$ file Phishing_Attempt.xlsx                                         
phishing_attempt.xlsx: Microsoft Excel 2007+

I will open it up using an online service

By default, the Excel file opens to the Passwords 01082020 tab, which contains a dozen of domain users Interestingly, the C column is not visible

The other tab, Captured, lists the amount of capture made each month over the course of about 3 years between 01012018 and 04012021 There is a chart made of the dataset, and an interesting comment at 07012019, indicating that the Keely.Lyons user started working for the IT department with a “changeover”

Protection

The important bit here is that the Passwords 01082020 tab is “protected”. This explains the hidden C column

In order to “unprotect” the tab, password is required

While the password is unknown, there is a way around

Manual Removal

┌──(kali㉿kali)-[~/…/smb/RedirectedFolders$/edgar.jacobs/Desktop]
└─$ unzip Phishing_Attempt.xlsx 
archive:  Phishing_Attempt.xlsx
  inflating: [Content_Types].xml     
  inflating: _rels/.rels             
  inflating: xl/workbook.xml         
  inflating: xl/_rels/workbook.xml.rels  
  inflating: xl/worksheets/sheet1.xml  
  inflating: xl/worksheets/sheet2.xml  
  inflating: xl/theme/theme1.xml     
  inflating: xl/styles.xml           
  inflating: xl/sharedStrings.xml    
  inflating: xl/drawings/drawing1.xml  
  inflating: xl/charts/chart1.xml    
  inflating: xl/charts/style1.xml    
  inflating: xl/charts/colors1.xml   
  inflating: xl/worksheets/_rels/sheet1.xml.rels  
  inflating: xl/worksheets/_rels/sheet2.xml.rels  
  inflating: xl/drawings/_rels/drawing1.xml.rels  
  inflating: xl/charts/_rels/chart1.xml.rels  
  inflating: xl/printerSettings/printerSettings1.bin  
  inflating: xl/printerSettings/printerSettings2.bin  
  inflating: xl/calcChain.xml        
  inflating: docProps/core.xml       
  inflating: docProps/app.xml

Since Excel file work much like archive, I can extract the whole content

and extract the passwords in the C column

Scripted Removal

┌──(kali㉿kali)-[~/…/smb/RedirectedFolders$/edgar.jacobs/Desktop]
└─$ python3 unprotect.py Phishing_Attempt.xlsx -vba                                                   
 
craXcel started
 
Checking file Phishing_Attempt.xlsx...
File accepted...
File unpacked...
Workbook protection removed...
Worksheet protection removed...
File repackaged...
Cleaning up temporary files...
Completed unlocking file!
 
Summary: 1/1 files unlocked
 
craXcel finished
 
┌──(kali㉿kali)-[~/…/smb/RedirectedFolders$/edgar.jacobs/Desktop]
└─$ ll unlocked 
total 88K
4.0K drwxr-xr-x 2 kali kali 4.0K Jan 30 20:19 .
 80K -rw-r--r-- 1 kali kali  78K Jan 30 20:19 Phishing_Attempt_craXcel.xlsx
4.0K drwxr-xr-x 4 kali kali 4.0K Jan 30 20:19 ..

I could also use a Python script

The Passwords 01082020 tab is no longer “protected”

CLEARTEXT Credentials

and I can access the content in the C column, which contains the list of passwords While it is very much likely that the majority of those users changed their passwords ever since, but there is always one Validation will be made by brute-forcing and requesting for a TGT

Metadata

┌──(kali㉿kali)-[~/…/smb/RedirectedFolders$/edgar.jacobs/Desktop]
└─$ exiftool Phishing_Attempt.xlsx                                   
ExifTool Version Number         : 12.67
File Name                       : Phishing_Attempt.xlsx
Directory                       : .
File Size                       : 23 kB
File Modification Date/Time     : 2024:01:30 19:04:59+01:00
File Access Date/Time           : 2024:01:30 19:06:04+01:00
File Inode Change Date/Time     : 2024:01:30 19:05:42+01:00
File Permissions                : -rw-r--r--
File Type                       : XLSX
File Type Extension             : xlsx
MIME Type                       : application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0xcc14a176
Zip Compressed Size             : 442
Zip Uncompressed Size           : 1996
Zip File Name                   : [Content_Types].xml
Last Modified By                : Edgar Jacobs
Create Date                     : 2020:04:07 16:49:10Z
Modify Date                     : 2020:08:10 10:34:48Z
Application                     : Microsoft Excel
Doc Security                    : None
Scale Crop                      : No
Heading Pairs                   : Worksheets, 2
Titles Of Parts                 : Captured, Passwords 01082020
Links Up To Date                : No
Shared Doc                      : No
Hyperlinks Changed              : No
App Version                     : 16.0300

Interactive Graph View

Backlinks