Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Analyzing Compressed PowerShell Scripts - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing Compressed PowerShell Scripts

Malicious document 1d5794e6b276db06f6f70d5fae6d718e contains VBA macros, as can be verified with

Stream 15 is a "Stream O" and that is something we talked a bout before: these forms are often used to hide the payload.

No surprise here, it contains a BASE64 string:

And that is often indicative of PowerShell scripts.

Decoding the BASE64 string with here:

It's UNICODE (UTF16), a characteristic of encoded PowerShell arguments:

This yields a PowerShell script, with more BASE64.

That BASE64 string is not a PowerShell script:

It's compressed data: DeflateStream. DeflateStream tells us that this is Zlib compression, with header (raw). My tool can be used to decompress this:

This gives us the final PowerShell script, a downloader: is a tool to transform (translate) byte streams. By default, it operates byte per byte with a given Python expression to translate a single byte.

Option -f directs the tool to operate on the complete byte stream, and the given Python expression is a function that expects a byte stream. ZlibD and ZlibRawD are buildin Python functions to inflate Zlib compressed data, with header and without reader (raw) respectively.


Didier Stevens
Senior handler
Microsoft MVP


652 Posts
ISC Handler
Jul 22nd 2019
Very helpful, Thank You. Used this combination today on a file that was inside a .zip attached to an email. Same outcome. The named URL was different, but the target IP was the same.

Sign Up for Free or Log In to start participating in the conversation!