Malware Sample Analysis 11–02–2022

I’ve been asked to investigate a case in which a user received a phishing email, asking the user to click on a link to open a PDF Document.

The link points to a Google Drive hosted file.

Original Email
Original Email

Once downloaded, the PDF file is in fact a VBS (Visual Basic Script) file :

Original VBS Script with junk code removed

Please note that the file is UTF-16 encoded (contains Unicode strings). On my first attempts, I screwed everything because I was copy/pasting the content to a UTF-8 document.

After a bit of cleanup, I commented the 2 execution commands (lines 26 & 71), and replaced them by printing the variables (lines 25 & 70), to see what was the script doing :

Beautified and Modified VBS Script

Now the execution calls were disabled, I could safely run the script :

stage01.vbs output

In yellow, the script moves itself into the Startup section of the Start Menu. This is for persistence and this is built by lines 11-27.

In blue, this is a PowerShell script that is built by lines 29-71.

To go one step further, I copy/pasted the blue part of the output to a PowerShell script, commented the execution part, and added a print of the variables (line 4).

Now the execution call is disabled, I could safely run the script :

stage02.ps1 Output

In yellow, the script downloads a file from hxxp[://]91[.]241[.]19[.]49/CRYPS/F3dll[.]txt and decodes it from base64 encoding.

I did these 2 operations (wget + base64) in my Linux VM. The file command indicates now that the downloaded file is a .NET DLL File.

File identified as a .NET DLL

In blue, the script loads the .NET DLL File and invoke it’s “Run” function with a string as parameter.

The parameter is a reversed string for the URL for hxxp[://]pastie[.]org/p/1xXctK7tSjDf8p1GCEfaRd/raw but this URL was not reachable anymore at the time of this analysis.

The hash of the .NET DLL file is already known and flagged as malicious by Virus Total :

Virus Total Results

I didn’t dive into the DLL but most probably it is a dropper that would download another payload from the unavailable URL and execute it …

Maybe next time :)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Cyber Security Enthusiast 🤓, CTF Amateur 🇧🇪, Metal Music Lover 🤟🏽, World of Warcraft Player ⚔️, Cat Father 😼, Donuts Eater 🍩, He/Him ♂️