{
	"id": "79110e98-81df-43ab-bddf-e9fbcd4fd335",
	"created_at": "2026-04-06T00:19:17.035471Z",
	"updated_at": "2026-04-10T03:30:33.933246Z",
	"deleted_at": null,
	"sha1_hash": "110187b9b61e382658e16fd155490611ed805622",
	"title": "Malware Monday: VBScript and VBE Files",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 825428,
	"plain_text": "Malware Monday: VBScript and VBE Files\r\nBy Matt B\r\nPublished: 2016-12-27 · Archived: 2026-04-05 19:23:11 UTC\r\nI’ll begin with a continued Happy Holidays! I know many colleagues and friends who are enjoying this in-between week on vacation, and I hope most of you are enjoying it away from the keyboard. You’ve earned it!\r\nIn last week’s Full Packet Friday, I analyzed a PCAP file that contained a VBE script that, upon execution,\r\ndownloaded and executed additional malware. In the post I briefly touched upon the VBE file, but I wanted to\r\nrespond to a request to dig into VBE files a bit further. If the recent PCAP example wasn’t enough, VBE scripts\r\nare still utilized by attackers and, unfortunately, still successful in evading endpoint detection mechanisms.\r\nVBScript\r\nBefore getting into VBE files, let’s first look at their origin. Microsoft Visual Basic Scripting Edition, or\r\n“VBScript”, is an Active Scripting language developed by Microsoft. The language is based on Visual Basic\r\n(hence the super stealthy name), and has been around for about 20 years!\r\nVBScript originally gained popularity as a resource for Windows system administrators to manage their\r\ncomputers. In a nutshell, it allows for control over many functions of a host, and is installed by default. It’s simple\r\nto read and simple to write. Here’s some sample VBScript to display the current date/time:\r\nWScript.Echo Now()\r\nYou may be thinking “Wait, VBScript sounds a lot like PowerShell”, and you wouldn’t be wrong. One core\r\ndifference to know is that VBScript utilizes Component Object Model (“COM”) components while PowerShell is\r\nbuilt on .NET. A lot of recent development has gone into building out PowerShell as THE system administrator’s\r\ntool, however VBScript is still available, still executed, and still works.\r\nIn many situations, VBScript is just as powerful as PowerShell. It can be used to perform functions such as Active\r\nDirectory management, implement group policies, or interact with your host’s hardware. It can read/modify the\r\nRegistry, connect to WMI, and execute on a remote host. Many system administrators have had to lean on\r\nVBScript in some way, shape, or form in the past, and are quite adept at it.\r\nVBScript is/was also used heavily in web development, and can be found both client- and server-side. VBScript is\r\none of the languages that can be used for Active Server Pages, or “ASP”, web design, for example. Scripting\r\nblocks inside of ASP were often delimited by the characters \u003c% and %\u003e . Here’s the same Now() example from\r\nabove, but displayed in a web page:\r\nhttps://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16\r\nPage 1 of 6\n\n\u003chtml\u003e\r\n \u003cbody\u003e\r\n The current date and time is \u003c% Now() %\u003e\r\n \u003c/body\u003e\r\n\u003c/html\u003e\r\nIt was supported in Internet Explorer, and yes, was most likely the reason why a lot of intranet web pages\r\n“required” Internet Explorer where other browsers fail (among numerous other lack-of-backwards-compatibility-issues). I’m reaching back into old enterprise days; hopefully I’m not alone in those horrible memories.\r\nLastly, it is important to note that VBScript was deprecated as of Internet Explorer 11.\r\nVBE\r\nWith an understanding of VBScript, let’s discuss how VBE came into play. As I briefly mentioned, VBScript was\r\noften used in web development. As ASCII text, it was not much effort to read, understand, and modify code. It\r\nwas also very easy to steal. Microsoft addressed this issue by offering Script Encoding. This mechanism encoded\r\nthe scripts into unreadable text, but could still execute. It was touted as a way to help protect intellectual property\r\nas well as maintain script integrity.\r\nEncoding was also used by system administrators who were using VBScript to hop around the network and\r\nperform various functions. Again, knowing that VBScripts were simply ASCII files, users could easily access\r\nthese files and potentially modify them. Worse, steal them and give them to a competitor. Even worse yet, ASCII\r\nscripts gave attackers a really easy way to blend in to the environment. By encoding, system administrators could\r\nmake the script look like nonsensical text and deter many users from messing with the code.\r\nPopularity with Attackers\r\nThe above paragraphs are not only a brief history of VBScript, but also reasons why VBScript and VBE are\r\npopular with attackers. VBScript has been installed by default on every version of Windows since Windows 98\r\nand NT 4 (with the Option Pack). Despite the deprecation in IE11, VBScript can still be executed on modern\r\nWindows operating systems. The rich features it provides are still largely available, and it can be hidden in a\r\nmyriad of file types/extensions.\r\nAttackers typically love a scripting language that is easy to write and available on almost all, if not all, of their\r\ntarget hosts. VBScript is just that, and has been for many operating systems now. Attackers also love to utilize\r\nscripts that blend in with normal operations — hiding in plain sight, if you will. In many enterprises, VBScript\r\nwas used heavily and executed often. Additionally, if a system administrator is using VBScript, there’s a high\r\nchance that those files are allowed on systems and not blocked or inspected.\r\nLastly, with built-in encoding and decoding functions, as well as the ability to build-in obfuscation, attackers have\r\nnearly endless possibilities of ensuring that their code gets executed on the target host. All of these capabilities\r\nwithout needing to install any software or ensure compatibility.\r\nhttps://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16\r\nPage 2 of 6\n\nAnalyzing VBE\r\nApologies on the wall of text above, but it’s important to lay the groundwork for what we’re examining here. Let’s\r\nget to the fun part, and say you encounter malicious a VBE file. Going back to last Friday’s PCAP, here’s an\r\nexample of a VBE script:\r\nVBE text, UTF-16, displayed in HxD\r\nA few things should jump out. First, it’s very tough to read anything! Second, it appears that the text from the\r\nPCAP is in UTF-16. Let me quickly convert that to UTF-8, just to prove a point about the encoding:\r\nhttps://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16\r\nPage 3 of 6\n\nVBE text, converted to UTF-8, displayed in HxD\r\nStill can’t read anything! The need to convert to UTF-8 was to get our decoding tool to work.\r\nGet Matt B’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAuthor’s note: If you ever run into issues with decoding tools, check the encoding of your encoded text :)\r\nThere are some fantastic tools out there to decode VBE files. Many of the original tools were written in\r\nVBScript, and allowed for dragging and dropping of encoded scripts. As I am very rarely analyzing VBScript\r\ninside of a Windows environment, I tend to rely on other mechanisms.\r\nDidier Stevens has published a really nifty VBE decoding script over at his website. This script became part of my\r\narsenal as soon as it was released. Running the encoded text through Didier’s script gives us the decoded script\r\ncontents:\r\npython decode-vbe.py script_utf-8Dim ObjShell:set ObjShell=CreAteObjEct(\"WScript.Shell\"):Const quote=\r\nI love that, in this example, the attacker is using VBScript to call PowerShell to download a file named w7.txt .\r\nWith the CreAteObjEct(“WScript.Shell”) VBScript, the attacker sets ObjShell to a shell object that can\r\nexecute code. As discussed in the PCAP analysis, this text file contained additional malicious code.\r\nAnd..that’s it! It really is that simple. However, we’ve now got an idea of what types of language(s) our attackers\r\nlikes to use as stage 0 or stage 1 droppers.\r\nA huge thanks to Didier for creating and releasing that script, it has certainly made the DFIR life easier.\r\nDetecting VBE Files\r\nhttps://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16\r\nPage 4 of 6\n\nBefore wrapping this post up, I wanted to take a moment and discuss potential ways to detect these malicious\r\nfiles. Here are a few thoughts, especially for internal DFIR teams or threat hunters:\r\nVBE files are, based on my experience, extremely rare and legitimate these days. Rare enough that when\r\nI’ve come across them, I usually flag and get an answer as to the origin.\r\nIf you’ve got the ability to peek into HTTP traffic, put an alert or two together for .vbe files. Again, these\r\nare becoming increasingly rare, especially with the IE11 deprecation. I’d also go as far to say that VBE\r\nfiles requested from an external site should be flagged. Take a look at the HTTP data from last Friday’s\r\nPCAP:\r\nPress enter or click to view image in full size\r\nScreenshot of Wireshark showing HTTP Headers with a .vbe file request\r\nIf you’ve got the ability to do file-level introspection, perhaps look for VBE files. Very rarely will these\r\nfiles be hanging around for a while, but you might just get lucky if an attacker is utilizing VBE files to\r\nmove laterally. With his decoding script, Didier also released a YARA rule for VBE files.\r\nRemember, this is code designed to execute in a Windows environment. Get into a VM or a non-Windows\r\nanalysis environment, and analyze safely there.\r\nAdditional Notes\r\nI didn’t go into them in any detail, but Microsoft has also released it’s own version of JavaScript (with a few\r\nmodifications) called JScript. It’s actually as old as VBScript, and support for JScript was released at the same\r\ntime. JScript also has its own encoding capabilities , and you may come across a JSE file. This is, obviously,\r\nencoded JScript.\r\nOne More Thing\r\nIn my research on VBScript, I came across one of my favorite Stack Overflow Answer sections. Here’s a\r\nscreenshot below:\r\nPress enter or click to view image in full size\r\nhttps://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16\r\nPage 5 of 6\n\nSarcasm on the Internet never fails to amuse\r\nUntil tomorrow, Happy Forensicating!\r\nSource: https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16\r\nhttps://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16"
	],
	"report_names": [
		"malware-monday-vbscript-and-vbe-files-292252c1a16"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434757,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/110187b9b61e382658e16fd155490611ed805622.pdf",
		"text": "https://archive.orkl.eu/110187b9b61e382658e16fd155490611ed805622.txt",
		"img": "https://archive.orkl.eu/110187b9b61e382658e16fd155490611ed805622.jpg"
	}
}