Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Not-Really-Password-Protected Evasion Technique Resurfaces

Today we came across an e-mail with an Excel Workbook attachment, which upon first inspection appears to be password-protected. The presence of the EncryptedPackage stream in an OLE2 document indicates that it is protected by a password, which obviously would require the user to enter one in order to open the document properly. Or at least that’s what the bad guys would like email or AV scanners to think.


Figure 1

Looking at the e-mail, which is couched as a very generic price quote request, the sender did not provide any password for the attachment, so what gives?

Figure 2

Sounds like something we’ve already seen a few years back, six years to be exact. Do you remember VelvetSweatshop and the infamous CVE-2012-0158 exploit which took advantage of the Microsoft Excel default password hidden feature to evade detection? Well, this malware campaign will surely bring you back to those old days.

First let’s try to open the document to see if Microsoft Office will be able to load it properly.

Figure 3

Figure 4

And sure thing, Microsoft Office Excel was able to open the document with no problems at all—and no request to enter a password. So let’s take a look at what’s happening in the background.

Exploits Office Vulnerability CVE-2017-11882

The first thing you’ll notice is the presence of EQNEDT32.EXE being loaded by svchost.exe. This behavior indicates a possible exploitation of CVE-2017-11882(Microsoft Office Memory Corruption Vulnerability).

Figure 5

Digging a little deeper, we debugged the exploit shellcode to see what this document really does in the background. Sure enough, this sample does indeed exploit CVE-2017-11882 and attempts to download and execute an executable payload (supposedly saved as %PUBLIC%vbc.exe in the affected computer’s system), as shown in the screenshots below.

Figure 6

Figure 7

VelvetSweatshop Default Password Ploy Still Being Used

We also decrypted the email attachment and confirmed that this document is taking advantage of the old Microsoft Office hidden “feature” that uses a default password to load encrypted documents, as shown in the lines of code in the screenshot below.

Figure 8

Unfortunately, the download link from this exploit sample was inaccessible as of this writing, so we are not able to provide an analysis of its payload.

Indicators of Compromise and Cyren Detection


Object Type


Cyren Detection



Subject: Prices required –




Subject: Prices required –




Password-protected: VelvetSweatsho[



Saved to: %PUBLIC%vbc.exe

Payload: Inaccessible as of this writing

Prevention and Mitigation

We remind readers that Microsoft issued a patch for the CVE-2017-11882 exploit in 2017. Outdated software, operating systems, browsers, and plugins are major vectors for malware infections.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...