Keypoints
- Sample provided with SHA-256: b632a2ab492dbe0f71c18cab99b61bded82cbb66696f2d30c9bc354605ebb136.
- Initial cleanup removed 1,516 junk-comment lines from the .vbs, leaving ~80 lines for analysis.
- The .vbs contains an embedded PowerShell payload split across many concatenated strings and invoked via WScript.Shell.
- The obfuscation routine (function “Minimif”) reconstructs plaintext by taking every 8th character from each encoded string segment.
- Decoding was validated and automated using a small Python script, a capture-regex, and a CyberChef recipe to extract and transform quoted strings.
- Decoded values reveal a Google Drive download URL, Start-BitsTransfer usage, base64-encoded payload saved to %AppData%, and the Remcos loader behavior.
MITRE Techniques
- [T1059.005] Visual Basic – WScript.Shell is used to launch the obfuscated PowerShell payload; [‘…assuming that the aim of the initial obfuscated piece is to use WScript.Shell to execute the obfuscated PowerShell command.’]
- [T1059.001] PowerShell – an encoded PowerShell script is embedded and executed to perform follow-on actions; [‘…contains an encoded Powershell Script used to download Remcos malware from a Google Drive.’]
- [T1105] Ingress Tool Transfer – the script downloads a base64-encoded file from Google Drive using BITS (BitsTransfer) to %AppData%; [‘…uses Powershell to Download a base64 encoded file to the AppData folder. The download is performed using the Bits protocol, using the BitsTransfer Powershell module.’]
- [T1027] Obfuscated Files or Information – the payload is hidden via junk comments, string concatenation, and an extraction routine that selects every 8th character from each encoded string; [‘…taking the 8th character of each encoded string. The script iterates through each string, taking additional characters at 8,16,24 etc.’]
Indicators of Compromise
- [File Hash] sample SHA-256 – b632a2ab492dbe0f71c18cab99b61bded82cbb66696f2d30c9bc354605ebb136
- [URL] Google Drive download (decoded from script) – drive.google.com/… (decoded PowerShell URL pointing to the payload)
- [Directory/File Path] write location – %AppData% (payload saved to the user’s AppData folder after download)
- [Command/Module] PowerShell BITS usage – Start-BitsTransfer / BitsTransfer module referenced in decoded values
We moved the zipped sample into a safe analysis VM and unzipped it (password: “infected”), then opened the .vbs in a text editor. Large volumes of decoy comments (lines starting with a single quote) were removed with a regex, reducing the script from ~1609 to ~80 lines. Investigation revealed WScript.Shell calls and a broken-up PowerShell payload concatenated from ~20 quoted strings; these strings were copied into a new file and cleaned by removing concatenation tokens and surrounding quotes.
The extracted PowerShell begins with a function named “Minimif” that processes encoded strings. By renaming variables and inspecting the routine, the decoding pattern was identified: the function selects the 8th character of each 8-character block (indices 8,16,24…). This was verified by a short Python script that reproduced the decoded output (the first result being a Google Drive URL). The same result was achieved with a regex that captures the 8th character from each 8-character chunk, and the process was automated in CyberChef: extract all single-quoted strings, fork to handle each line, remove quotes, apply the 8th-character regex, and join results.
The fully decoded output contains explicit commands and values: a Google Drive file URL, references to PowerShell and the BitsTransfer module, instructions to download a base64-encoded file into %AppData%, and subsequent handling consistent with a Remcos loader. IOCs (SHA-256 above, the decoded Drive URL, %AppData% write location, and Start-BitsTransfer usage) were extracted for further triage and detection rule creation. Read more: https://embee-research.ghost.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/