This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get the IP/Url from the shellcode.
The Twitter link where this came from can be found Here . The file we will be looking at is found Here.
The first thing we need to do is get a copy of the vba from the site.
We can click on the copy content button in the upper right hand corner to copy it to the clipboard then we can paste it into out favorite text editor.
Just by this it appears to build a PowerShell script.
Here at the bottom of the script we can see that “stringFinal” is the the rebuilt powershell script that will base 64 decode to “Something”. It will run the powershell with shell.
The next question is how do we easily rebuild this base64 string.
In this Link to twitter I was asking people about a Reg-X solution. There were several replies and even a method to make some changes and let it extract itself.
This post is aimed at statically decoding with just my tools. It is just a way to demonstrate how the tools work.
So since the strings are reassembled in order , rather than reassembling by hand we can use Reg-X to clean the base64 string to be able to decode it without having to run it.
If you view the link above you can see part of the thread where Malwrologist @DissectMalware has some screenshots on how to reassemble the base64 string using Notepad ++ and 2 different regular expressions to do the job which was my original goal.
There are also several different suggestions in that thread.
Recently I had built a new tool that does Reg-X replace for a script. The twitter link for that is Here.
There they used Reg-X to decode strings.
So lets try this new tool using the 2 step process.
Using a combination of Reg-X patterns we start with
string[0-9]{1,} = \”
It will clear the name with the number thru the first “
So now we take the output from the first Reg-X replace and put in into the input for the next round using this pattern.
\”\r\n
That will clean the end “ and the newlines thus reassembling the base64 string. It will leave the final “ in the string so that will need to be removed before inputting this in to the base64 decoder.
Here they are still using PowerShell to load the Hex encoded shellcode.
Finally we can highlight and copy paste just the hex encoded shelcode click a button and if nothing goes wrong we get the IP/Url it is calling out to.
Note: This tool does not work on those types that call and load calc.exe or executable those are a different format.
We can also check to see what api’s are found in the shellcode.
Notice the checkboxes up top, those can be unchecked to clean up the not found output.
With some practice this can be extracted and decoded within a few minuets.
That’s it for this one.
Thanks for reading if you got this far.
Links:
Link to original Twitter message.
Link to file.
Link to Twitter thread about Reg-X.
Link to Twitter about script the Reg-X tool was built for.
Link to Github for the Reg-X tool.
Link to Github for Remaining tools for getting the IP and API’s used.
PC's Xcetra Support 
Pingback: Extracting Shellcode from VBA to PowerShell