
1) Firsly the basic encryption mechanism is rc4.

http://msdn.microsoft.com/library/officedev/office/orkhtml/034.htm

When you readprotect a document in any of these applications, the application 
calls an Office DLL to provide the encryption routine. The Office encryption 
options described here are independent of any additional security measures
at the operating system level. 

Access, Excel, and Word incorporate the symmetric encryption routine known as 
RC4. RC4 is stronger than the encryption routine used in previous versions of 
most Office applications, known as Office 4.x encryption. (Access has supported 
RC4 encryption since version 2.0.) Documents from previous versions of Office 
are not as secure as passwordprotected documents in Office 97 or 98 format. 


2) There is a lengthy and complex mechanism to get a key from the password

See the actual code for details

3) There is a change at position 0x200 in the table stream. Creating a 
standalone keystream and searching for what is almost cretainly the next 
portion of keystream, (the change occurs half way through a known string). 
The section of keystream is not found for up to 25000 bytes. So i theorize
that a new key is generated and rc5 restarted.
