PowerShell Dropper Delivering Formbook, (Thu, Nov 19th)

Here is an interesting PowerShell dropper&#;x26;#;xc2;&#;x26;#;xa0;that is nicely obfuscated and has anti-VM detection. I spotted this file yesterday, called &#;x26;#;39;ad.jpg&#;x26;#;39;&#;x26;#;xc2;&#;x26;#;xa0;(SHA256:b243e807ed22359a3940ab16539ba59910714f051034a8a155cc2aff28a85088). Of course, it&#;x26;#;39;s not a picture but a huge text file with Base64-encoded data. The VT score is therefore interesting: 0/61![1].&#;x26;#;xc2;&#;x26;#;xa0;Once decoded, we discover the obfuscated PowerShell code. Let&#;x26;#;39;s review the techniques implemented by the attacker.