Occasionally I’ll encounter a maldoc that has a password-protected VBA project. While tools such as oledump may still extract the macros, the password protection is typically encountered when accessing the project through the Office/VBA IDE (which I typically use for dynamic analysis). This happens rare enough that I often forget the steps of removing the password so thought I’d start collecting possible solutions.
Word – 2007+
Sample MD5: dc989fa836fa93fe1f158fa490382686 Any.Run: https://app.any.run/tasks/dd8ae979-4afc-44ac-99d2-3b57f9d6e2b1 Hybrid-Analysis: https://www.hybrid-analysis.com/sample/4bb275b253db05bfa23a677d3db8f78cef0d633bbef19d05e37780f61577153c?environmentId=100
Password prompt when accessing the VBA project in the VBA IDE
With this type of document, you can rename the original file with a .zip extension, this will allow you to explore the contents. This type of file uses the Open XML file format, which stores all necessary files and folders in a compressed, ZIP file.
Explore contents of Word document as a ZIP archive
After opening the archive, navigate to the word folder and extract the file vbaProject.bin.
Next, open that file in a hex editor and search for the ASCII string DPB, replace the B with a lower-case x.
Correct instance of DPB string is followed by an equal (=) sign
Save this file and drag/drop into the original location in the archive. Next, remove the zip file extension and add the original doc/docx/etc. You’re now ready to open the document with Word. You may receive an dialog about an invalid property – you can safely ignore this message.
Changing DPB results in an invalid key
Finally, you can open the project via the Developer tab. Right-click on the project in the project explorer window and select <project> properties. On the protection tab, uncheck Lock project for viewing and save the document. This removes this protection and allows you to now access the macros.
Unlocked VBA project