Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - VBS + VBE InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!


Published: 2016-04-17
Last Updated: 2016-04-17 18:16:53 UTC
by Didier Stevens (Version: 1)
0 comment(s)

When I researched VBS-encoding for my YARA rule and Python decoding script, I noticed the encoded script had a header and trailer. I wondered if maybe you could have several scripts in the same file, so I added this to my research todo list.

But a couple of days ago I came across a maldoc sample (MD5 246f27b9ec2c16da7844369e9153b8cd) that wrote a VBE script to disk that consisted of an unencoded part (the URL) and an encoded part (the code to download and execute).

Take for example this VBS script:
MsgBox "Encoded string"
MsgBox variable

Encoding gives this VBE script:
#@~^KgAAAA==\ko$K6,J2    mK[+9PdYMkULr@#@&tdo~W6,-CDbl(Vn6g0AAA==^#~@

Executing this encoded scripts gives us 2 popups:

The second popup does not contain a message because variable is an uninitialized variable (we get no error for using an uninitialized variable since we did not issue statement "option explicit").

If we modify the VBE file and add an unencoded VBS script like this:
variable = "Unencoded string"
#@~^KgAAAA==\ko$K6,J2    mK[+9PdYMkULr@#@&tdo~W6,-CDbl(Vn6g0AAA==^#~@

then the second popup contains a message this time:

You can also have more than one encoded script inside the same VBE file. But encoding the script twice does not work.

Please post a comment if you experimented too with VBE scripts.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
IT Security consultant at Contraste Europe.

0 comment(s)
Diary Archives