Deobfuscate Script using CyberChef – Recipe 0x3

About the Newsletter

Join 100+ subscribers who get 0x1 actionable security bit every week.

In this quick blog post, we’ll explore the various combination of CyberChef operations e.g Subsection, From Base, Fork etc for deobfuscating VBScript used in the RedLine stealer infection chain.

VBScript often employs the ‘chr’ function to obfuscate its code, where ‘chr’ converts Ascii codes to characters e.g. Chr(65) will return ‘A’. In this script it uses simple subtraction before converting the character to Ascii using chr.

Our goal is to demonstrate various CyberChef operations that help us clean up and understand this malicious code effectively.

CyberChef Recipe Overview

  1. Replace ‘&H’ with ‘0x’ using the Find/Replace operation.
  2. Utilize subsection regex to capture the hex part inside chr e.g. chr(303-(0xE9)). Now we can execute other operations on this part of the script
  3. Convert this hex to decimal using the ‘From Base’ operation.
  4. Use regex to capture the part inside chr
  5. Apply subtract operation (Delimiter :) and using From Decimal to deobfuscate the script.


Feel free to follow along by copying the obfuscated VBScript input from my GitHub link.

Input Obfuscated Script
Input Obfuscated Script


After loading the CyberChef recipe, your script should look like the image below.

CyberChef Recipe decode VBScript
CyberChef Recipe decode VBScript

CyberChef Recipe for Deobfuscation

Find_/_Replace({'option':'Simple string','string':'&H'},'0x',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'-('},':',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'))'},')',true,false,true,false)
Regular_expression('User defined','chr\\(([^)]+)\\)',true,true,false,false,false,false,'List capture groups')

According to a recent announcement, Microsoft has stated that VBScript will be removed from Windows in a future release, which is a positive development for us. However, the CyberChef operations mentioned above will still be useful.

Thanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.

For more updates and exclusive content, subscribe to our newsletter. Happy Reversing! 😊

Join 100+ subscribers who get 0x1 actionable security bit every week.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Related Posts