So a couple weeks ago, I found a thread on Reddit called Help reading a potentially malicious vbs file. The Original Poster had came across a VBScript file that looked rather….. weird. So! To the drawing board I went!

This VBScript is 100% unreadable in its current form. It has a giant array list directly in the middle of the file, it is one line, and every variable is gibberish. When writing malware, this is called obfuscation, as you do not want people to figure out what your virus does. However, you can only take obfuscation so far in programming. The first step in the process of analyzing this script is add line breaks. For any “::”, we will replace it with “/n”. This will convert every line continuation character with a literal new line character.

That looks much more readable! The next steps is to remove the various ” “+” ” strings, and to give it proper indentation. After that, we can get to actually figuring out what each subroutine does.

Now that we have everything indented, its time to replace every gibberish word with something meaningful. This is where the difficult part comes in…. It’s like putting a 2000 piece puzzle back together. The more knowledgeable you are in the language, the easier this becomes. After completing the puzzle, it will become clear what the VBScript does:

If you noticed the message box added between the highlighted lines, good! I added it to pause execution while I grabbed the ZIP file. Inside the ZIP file is our malicious code:

Finally, this script will register this text file as a DLL, thus starting the infection process. That will be covered in Part 2.

Stay tuned!