Obfuscation in PowerShell_00e7147b41624961837eb71ff5ce0170-140323-1629-1330[.]pdf

Sharing

Copy URL Twitter E-mail

General

Target

Obfuscation in PowerShell_00e7147b41624961837eb71ff5ce0170-140323-1629-1330.pdf
Size

535KB
MD5

0028d8b0bf670afd9e9eaf06fe69c64c
SHA1

73cdf49fe04fb6888a9520a62daa9df31492a83e
SHA256

fac56430b1d3b599a4d5e150db2b51b35630c7ac7720d4160e15bcb3ba5390b1
SHA512

3d040442989ab8314450868f268162459a7d343507b6be6f51b6ffd74df154119fc60141ee05c4c0b0c699f1b17a2ac268960a55880a37a2ae1ad0e09cbc59b0
SSDEEP

12288:k9llysitOVUXRKch3+D8TqljA8OZjO7R+g7XAdeAdkUFvRvPXd1wKHElV:k3lysitOVUXRKch3+D8TqljA8OZjkJXr

Score

3^/10

pdf link

Malware Config

Signatures

One or more HTTP URLs in PDF identified
Detects presence of HTTP links in PDF files.
pdf link

Files

Obfuscation in PowerShell_00e7147b41624961837eb71ff5ce0170-140323-1629-1330.pdf
.pdf
- https://www.danielbohannon.com/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3#protected-event-logging
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_modules?view=powershell-7.3
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_script_blocks?view=powershell-7.3
- https://ossemproject.com/dd/dictionaries/linux/sysmon/event-1.html
- https://falcon.crowdstrike.com/documentation/26/events-data-dictionary#ProcessRollup2
- https://falcon.crowdstrike.com/documentation/26/events-data-dictionary#ScriptControlScanInfo
- https://one.rackspace.com/download/attachments/914565328/Obfuscation%20in%20PowerShell.zip?version=1&modificationDate=1674260056960&api=v2
- https://one.rackspace.com/download/attachments/914565328/test_results.xlsx?version=1&modificationDate=1675892188349&api=v2
- https://one.rackspace.com/download/attachments/914565328/new%20tests.txt?version=1&modificationDate=1675359443659&api=v2
- https://one.rackspace.com/download/attachments/914565328/obfuscation_script_blocks.json?version=1&modificationDate=1675984630991&api=v2
- https://raxglobal.sharepoint.com/:f:/r/sites/SOCHuntingDevelopment/Shared%20Documents/Datasets/T1059.001/Obfuscation?csf=1&web=1&e=bYQWmE
- https://www.leeholmes.com/more-detecting-obfuscated-powershell/
- http://127.0.0.1:8000/en-US/app/search/search?earliest=1675725746&latest=1675725806&q=search%20%60powershell%60%20EventCode%3D4104%20%0A%7C%20eval%20enccom%3Dif(match(ScriptBlockText%2C%22%5BA-Za-z0-9%2B%5C%2F%5D%7B44%2C%7D(%5BA-Za-z0-9%2B%5C%2F%5D%7B4%7D%7C%5BA-Za-z0-9%2B%5C%2F%5D%7B3%7D%3D%7C%5BA-Za-z0-9%2B%5C%2F%5D%7B2%7D%3D%3D)%22)%20OR%20match(ScriptBlockText%2C%20%22(%3Fi)%5B-%5De(nc*o*d*e*d*c*o*m*m*a*n*d*)*%5Cs%2B%5B%5E-%5D%22)%2C2%2C0)%20%0A%7C%20eval%20base64%20%3D%20if(match(lower(ScriptBlockText)%2C%22frombase64%22)%2C%20%222%22%2C%200)%0A%7C%20eval%20PSscript%3Dreplace(ScriptBlockText%2C%20%22%5Cs%22%2C%20%22%22)%0A%7C%20eval%20num_obfuscation%20%3D%20(mvcount(split(ScriptBlockText%2C%22%60%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%5E%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%27%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%2B%22))-1)%20%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%25%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%7B%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%7D%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%2C%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%24%22))-1)%0A%7C%20%60ut_shannon(ScriptBlockText)%60%20%0A%7C%20eval%20length%20%3D%20len(PSscript)%0A%7C%20eval%20obfuscation_random%3Dround(num_obfuscation%2Flen(PSscript)%2C%202)%0A%60%60%60%7C%20eval%20webclient%3Dif(match(lower(ScriptBlockText)%2C%22http%22)%20OR%20match(lower(ScriptBlockText)%2C%22web(client%7Crequest)%22)%20OR%20match(lower(ScriptBlockText)%2C%22socket%22)%20OR%20match(lower(ScriptBlockText)%2C%22download(file%7Cstring)%22)%20OR%20match(lower(ScriptBlockText)%2C%22bitstransfer%22)%20OR%20match(lower(ScriptBlockText)%2C%22internetexplorer.application%22)%20OR%20match(lower(ScriptBlockText)%2C%22xmlhttp%22)%2C5%2C0)%60%60%60%0A%7C%20eval%20compressed%3Dif(match(ScriptBlockText%2C%20%22(%3Fi)GZipStream%7C%3A%3ADecompress%7CIO.Compression%7Cwrite-zip%7C(expand%7Ccompress)-Archive%22)%2C3%2C0)%20%20%0A%7C%20eval%20Score%20%3D%20ut_shannon%20*%20(1-obfuscation_random)%0A%7C%20eval%20Score%3Dround(Score%2C2)%0A%7C%20stats%20values(Score)%20by%20Score%2C%20ut_shannon%2C%20num_obfuscation%2C%20length%20%2C%20obfuscation_random%2C%20enccom%2C%20compressed%2C%20base64%2C%20ScriptBlockText%0A%7C%20sort%20-values(Score)&display.page.search.mode=verbose&dispatch.sample_ratio=1&workload_pool=&display.events.fields=%5B%22EventDescription%22%2C%22Channel%22%2C%22EventID%22%2C%22EventType%22%2C%22Command%22%5D&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&display.statistics.sortColumn=ut_shannon&display.statistics.sortDirection=desc&sid=1675985654.4455
- http://bit.ly/L3g1tCrad1e
- http://Variable/HJ1
- https://www.virustotal.com/gui/file/ddb61d9f52508bd7d23b07ffb2ef3cd3af0554ed0bab250c58791dce2ef0242d/community
- https://www.virustotal.com/gui/file/1ddd2674e556c57193cfede2382b8892d7f3010b44c510804bb7cc07397c5d1c/community
- http://127.0.0.1:8000/en-US/app/search/search?earliest=1675725746&latest=1675725806&q=search%20%60powershell%60%20EventCode%3D4104%20%0A%7C%20eval%20enccom%3Dif(match(ScriptBlockText%2C%22%5BA-Za-z0-9%2B%5C%2F%5D%7B44%2C%7D(%5BA-Za-z0-9%2B%5C%2F%5D%7B4%7D%7C%5BA-Za-z0-9%2B%5C%2F%5D%7B3%7D%3D%7C%5BA-Za-z0-9%2B%5C%2F%5D%7B2%7D%3D%3D)%22)%20OR%20match(ScriptBlockText%2C%20%22(%3Fi)%5B-%5De(nc*o*d*e*d*c*o*m*m*a*n*d*)*%5Cs%2B%5B%5E-%5D%22)%2C2%2C0)%20%0A%7C%20eval%20base64%20%3D%20if(match(lower(ScriptBlockText)%2C%22frombase64%22)%2C%20%222%22%2C%200)%0A%7C%20eval%20PSscript%3Dreplace(ScriptBlockText%2C%20%22%5Cs%22%2C%20%22%22)%0A%7C%20eval%20num_obfuscation%20%3D%20(mvcount(split(ScriptBlockText%2C%22%60%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%5E%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%27%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%2B%22))-1)%20%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%25%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%7B%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%7D%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%2C%22))-1)%20%2B%20(mvcount(split(ScriptBlockText%2C%20%22%24%22))-1)%0A%7C%20%60ut_shannon(ScriptBlockText)%60%20%0A%7C%20eval%20length%20%3D%20len(PSscript)%0A%7C%20eval%20obfuscation_random%3Dround(num_obfuscation%2Flen(PSscript)%2C%202)%0A%60%60%60%7C%20eval%20webclient%3Dif(match(lower(ScriptBlockText)%2C%22http%22)%20OR%20match(lower(ScriptBlockText)%2C%22web(client%7Crequest)%22)%20OR%20match(lower(ScriptBlockText)%2C%22socket%22)%20OR%20match(lower(ScriptBlockText)%2C%22download(file%7Cstring)%22)%20OR%20match(lower(ScriptBlockText)%2C%22bitstransfer%22)%20OR%20match(lower(ScriptBlockText)%2C%22internetexplorer.application%22)%20OR%20match(lower(ScriptBlockText)%2C%22xmlhttp%22)%2C5%2C0)%60%60%60%0A%7C%20eval%20compressed%3Dif(match(ScriptBlockText%2C%20%22(%3Fi)GZipStream%7C%3A%3ADecompress%7CIO.Compression%7Cwrite-zip%7C(expand%7Ccompress)-Archive%22)%2C3%2C0)%20%20%0A%7C%20eval%20Score%20%3D%20ut_shannon%20*%20(1-obfuscation_random)%0A%7C%20eval%20Score%3Dround(Score%2C2)%0A%7C%20stats%20values(Score)%20by%20Score%2C%20ut_shannon%2C%20num_obfuscation%2C%20length%20%2C%20obfuscation_random%2C%20enccom%2C%20compressed%2C%20base64%2C%20ScriptBlockText%0A%7C%20sort%20-values(Score)&display.page.search.mode=verbose&dispatch.sample_ratio=1&workload_pool=&display.events.fields=%5B%22EventDescription%22%2C%22Channel%22%2C%22EventID%22%2C%22EventType%22%2C%22Command%22%5D&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&display.statistics.sortColumn=obfuscation_random&display.statistics.sortDirection=desc&sid=1675985654.4455
- https://github.com/danielbohannon/Revoke-Obfuscation
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_group_policy_settings?view=powershell-7.3
- https://www.mandiant.com/resources/blog/greater-visibility
- https://docs.splunk.com/Documentation/UBA/5.1.0.1/GetDataIn/AddPowerShell
- http://github.com
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmonhttps://ossemproject.com/dd/dictionaries/linux/sysmon/event-1.htmlCrowdStrike
- http://falcon.crowdstrike.com/documentation/26/events-data-dictionary#ProcessRollup2ScriptControlDetectInfoThis
- https://falcon.crowdstrike.com/documentation/26/events-data-dictionary#ScriptControlScanInfoScriptControlScanInfoDescription:
- https://falcon.crowdstrike.com/documentation/26/events-data-dictionary#ScriptControlScanInfoFieldScriptContentRelevant
- http://PowerShell.zip
- http://RuNtIme.in
- http://schemas.microsoft.com/win/2004/08/events/event
- http://Io.st
- http://sySTem.Io.COmPREsSIon.de
- http://bit.ly
- http://Default_File_Path.ps
- http://bit.ly/L3g1tCrad1e';SIVariable:/0W
- http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1IEX
- https://www.virustotal.com/gui/file
- http://Tests.ps
- Show all