Recently we caught a VBScript which uses an interesting way to hide its datas.
First, let me open it with UltraEdit.
As you can see, there are lots of “useless” lines, so we need to see its end.
Well, content told us the “useless” lines we saw before are useful, it calculates the length of every line, plus 31, then converts to char, and execute decrypted script.
If you open the script file in hex mode, you can see there are lots of spaces(0x20->” “) in every line. This script uses this skill to hide its datas.
After decryption, it’s clear that the script is a downloader.
Related MD5:
A69EE2F401EA22262F7272DC49FF6A52
3C98965423F814612729273B49F94C9B
X-Sec Antivirus Detection:
Cloud Engine:
Cloud:Trojan.Script.Downloader