Reverse engineering a VBScript phishing email

Last night while I was sitting around suffering from a bout of insomnia after working late, I received a phishing email with a thinly disguised VBScript attachment. Being I was wide awake and not really having anything else to do, I decided to pull it apart and see what makes it tick. I’m no security researcher, but I have an interest in that area, and I thought it might be an interesting way to kill time.

At the time I received the email, only 2/19 scanners on Jotti recognized the VBS as malware, and 3/19 recognized the zip container it was in.

Obfuscated VBS malware
Obfuscated VBS malware

As you can see from the screenshot, all of the constant, variable and function names have been converted to random strings. Many of the strings have been obfuscated by breaking them down into constituent characters. There are also numerous extraneous variables, functions and pointless IF statements, although the extraneous functions may be part of a standard copy & paste template of functions.

The first thing I did was tidy up the layout of the code, for example indenting each function and IF statement to help improve the readability. I also concatenated the variables that had been split into characters back together. Then it becomes a bit like a jigsaw puzzle, finding the easy bits and working from there. I started with obvious ones, for example “Set YDh = CreateObject(“Scripting.FileSystemObject”)” it’s pretty obvious the variable should be something like objFSO. Examining functions and objects with parameters and comparing to the documentation lets you make further progress. If you have a WinHttpRequest object, and that object is then being called with “Object.Open “GET”, RFz5, False” you can then deduce that RFz5 is a variable containing a URL, and label it as strURL or some such.

After spending a bit of time doing this, and removing the extraneous functions and variables I had some code that made sense and was easy to follow. The script attempts to make a web request to one of several websites, and if it’s happy with the response it saves the response body as a .DLL file in the temp folder, then executes it via rundll32 with a couple of parameters.

For obvious reasons I’m not going to post the full code of what I ended up with, but this screenshot of the main code sans functions should give you an idea.

Cleaned up code
Cleaned up code

I was pleasantly surprised to see that less than 12 hours after I received the email, Microsoft had AV definitions out that detected and removed both the VBS and the container. I’ve heard quite a few people slag off the Microsoft AV product, but given that as of this post only one third (6/18) of the scanners on jotti had definitions for this, I think they deserve some credit!