Recently, during a forensic analysis on a laptop of an employee charged with corporate espionage, I've carved from disk a suspicious Excel file.

Obviously, the file was password protected, and I had to find a way to read it.

I did it,and now i'd like to share workflow for XLSX cracking.

What tools do i use?

The encryption algorithm of encrypted Microsoft Excel files is 40bit RC4.
As it is encrypted nothing could be tweaked by opening the document with a hex editor.

The correct way is to extract the password hash from the file and then cracking it using John The Ripper.

For this purpose, you need to get a 'jumbo' build of John The Ripper, that supports Office files cracking.

First, clone the git repository:

$ git clone

Then compile the sources:

$ cd JohnTheRipper/src

$ ./configure && make

If everything goes well, the executables for John and its related utilities will be created under "../run/".

Now, under "run" you can also find a python script, you can use it for extract the hash from the encrypted XLSX file:

$ python ./test.xlsx > hash.txt

$ cat hash.txt

Finally, you can start a bruteforce session with John The Ripper, maybe using a specific wordlist:

$ john --rules --wordlist=yourwordlist.txt hash.txt 

Now, make a cup of coffee, sit back and wait for John to do its thing.