Static analysis of Rana’s (APT39) VBS malware sample.

The FBI identified several malicious VBS scripts used by Rana (APT39). The VBS malware was embedded in Microsoft Office documents. Once opened, the Office document deobfuscated and broke out two (2) scripts -[see IOCs below].

Fig 1.0: oledump showing document streams and macros

The full FBI report can be found here.

The demo for this analysis can be found on my YouTube.