8
GCHQ
2y

Does anyone know of any tools for deobfuscating a batch script?

I got one of those scam emails with a .doc file attached and wanted to pull it apart, embedded in that file is a VBA script that runs as soon as the document is open. I have figured out how the script works I just have no idea when it comes to the batch script that its running, any help would be appreciated.

heres a pastebin link with the script, https://pastebin.com/SDWnQc48

Comments
  • 4
    📍
  • 3
  • 1
  • 1
    @segfault0xff ok I now have some assembly by the looks of it, I'm gonna try figure out what it does, thanks!
  • 0
    heres a link to the assembly if anyone is interested

    https://pastebin.com/vacNesmM
  • 6
    @GCHQ the best way to find what a script does is to run it on a live production system, preferrably with elevated privileges and with no backups.

    ... what, isn't how you're suppose to do it?
  • 2
    @theKarlisK so I set up a windows VM and ran the file, it won't run because of the "&amp"s, removing them and re running it I got an issue with "/c" at the beginning and now it's not liking the "fOr" maybe it's not intended to be run on windows 10
  • 2
    @GCHQ make sure your VM can't access the internet.. some malware can break out of them
  • 1
    @segfault0xff yea I made sure to turn the network connection off
  • 1
    Not logged into Facebook or Discord on my phone, but when I get back home I'll relay this to the security chaps there, probably someone there knows how to do it. Never had to deal with batch scripts myself so far and I've no idea how the language works so.. ¯\_(ツ)_/¯
  • 1
    I'd probably look at the obfuscators out there though, to see how they obfuscated it in the first place. First one that comes to mind would be msfvenom, chances are that they used that to obfuscate it.
  • 1
    @Condor thanks, that would be a massive help.

    I'll take a look at some obfuscators when I get home, I didn't think to take a look at them, I was more focused on deobfuscators, thanks!
  • 0
    @GCHQ maybe it's missing some redistributables installed, also did you try to run it from PowerShell?
  • 3
    🤔📍
Add Comment