VBS + VBE

Published: 2016-04-17
Last Updated: 2016-04-17 18:16:53 UTC
by Didier Stevens (Version: 1)
0 comment(s)

When I researched VBS-encoding for my YARA rule and Python decoding script, I noticed the encoded script had a header and trailer. I wondered if maybe you could have several scripts in the same file, so I added this to my research todo list.

But a couple of days ago I came across a maldoc sample (MD5 246f27b9ec2c16da7844369e9153b8cd) that wrote a VBE script to disk that consisted of an unencoded part (the URL) and an encoded part (the code to download and execute).


Take for example this VBS script:
MsgBox "Encoded string"
MsgBox variable

Encoding gives this VBE script:
#@~^KgAAAA==\ko$K6,J2    mK[+9PdYMkULr@#@&tdo~W6,-CDbl(Vn6g0AAA==^#~@

Executing this encoded scripts gives us 2 popups:

The second popup does not contain a message because variable is an uninitialized variable (we get no error for using an uninitialized variable since we did not issue statement "option explicit").

If we modify the VBE file and add an unencoded VBS script like this:
variable = "Unencoded string"
#@~^KgAAAA==\ko$K6,J2    mK[+9PdYMkULr@#@&tdo~W6,-CDbl(Vn6g0AAA==^#~@

then the second popup contains a message this time:

You can also have more than one encoded script inside the same VBE file. But encoding the script twice does not work.

Please post a comment if you experimented too with VBE scripts.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

Keywords:
0 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives