 Hello, did you see this here senior handler at the internet dom center? This video for the analysis of obfuscated VBS is based on this diary entry that I made. So I have a sample that I got from Malware Bazaar and I'm going to analyze this with Cybershift. Now here you can load the file but then you need to have the file on your disk and I don't like that especially on Windows machines. So I have the sample here in a password protected zip file as I obtained it from Malware Bazaar. Here it is and I can say option X uppercase X and this will dump all of the files in the zip file as an hexadecimal dump. And since there is only one file, there you have it. So what I can do now is say clip. This will copy the hexadecimal dump to the clipboard and then I can paste it into Cybershift and then I can say from hex to do the decoding like this and then now here I have the file here as output in Cybershift without having to have that file on my disk not contained in a zip file with a password. Okay so and now I can start the analysis. So I'm first going to run magic on it to identify the file and it's a text file. UTF-16 little engine. So the FFFE that you see here is a byte order mark and FFFE means little engine. Okay so let's do that away and then we can decode this. So decode text, decode this as UTF-16 little engine. So and we see a lot of colons and one and two. And if we go through here, it seems that it's only this. So let's just filter these out and see what we remain with. So filter, carriage turn line feed is a delimiter here because it's a Windows file. So start of the line colon and of the line so now we have selected only these with a single colon invert and now we have the rest that remains. So we can do that again, carriage return start colon colon and of the line invert selection okay and now we end up here with a couple of lines of VBS. So with a dim statement that's on something you find in visual basic. So that's a good keyword to say okay this is visual basic. And here you also have an execute statement execute. It's a statement that you have in VBS and visual basic scripting. It's not available in VBA and visual basic for automation. So this is a VBS file. You can see here several replaces so lots of non-printable characters here well non-ASCII characters replaced by an I, an S, an U, an R, an E, a U and so on. And then we have this here okay and these two characters here appear also here. And so you have this and this so this looks like a replace an obfuscated replace and it's very likely this because here you can see PLAC and here you can see an R. So this string as probably has to be replaced by an E. So let's just do that. Let's just replace do a search and replace for this and replace it with A. Let me copy this so search no find and replace find replace okay. So we just find a simple string search for a simple string this one here and we replace this with a letter A okay. And now we start to see something that looks a lot like base 64 but reversed at the equal equal here is at the beginning and not at the end. And then you also have this here some other variables that are concatenated. But here this also looks again like a search and replace because you have the variable here then these three variables and as that what I'm going to do is just try this here and do another find and replace so simple string and replace this with Z okay. So this indeed looks like reverse base 64 so let's extract this first time going to filter only for this line let's just take this here part of the line and say filter so then I only want to select this here so between the double quotes and I'm going to use a regular expression for that. So a regular expression I'm much double quote and then in a capture group any sequence close the capture group and here double quote you see that it is selected now and I'm going to say list capture groups okay and here we have the reversed base 64 here so let's reverse this like so base 64 decoding okay and now we end up with something that is typical here for PowerShell and this is UTF-16 so decode text UTF-16 little engine and here we have our PowerShell script with URL and here another reversed URL.