Nymeria's multi-stage obfuscation downloader

Wanted to share a quick post on a neat downloader that goes through multiple stages of obfuscation. The sample can be found here https://app.any.run/tasks/35593a77-04d7-4df3-8e37-ba9b0ea5e691

Specifically, look at the dropped Powershell scrtipt from MsiExec in this screenshot.

For the first stage of obfuscation, we can see the characters used for separator values near the end of the PS1 code.

SPlIT( 'wyN{hZ-}') | % { ([Char] (
Using this we can then create a quick formula in cyber chef:

Find_/_Replace({'option':'Regex','string':'[wyN{hZ\\-}]'},' ',true,false,true,false) From_Charcode('Space',16)

As you can see from the above screenshot, we have some more obfuscation here. This one is fun, and as of this writing I'm not sure how to do this in Cyberchef, but luckily it is a technique I've seen used by Emotet in the past. Esentially we just need to reorder the data below according to the index provided. I have an old python script I wrote to handle this task, located Here.
I modified the 2 variable in the script for this sample and then get the output I'm looking for:

This still requires a bit of cleanup because it has multiple "replace" operations. I switched back to Cyber Chef for this.

Find_/_Replace({'option':'Simple string','string':'i7w'},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'gIJ'},'"',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'+'},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'BHD'},'Zur',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'AkU'},'V4K',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'nkV'},'\'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'dqo'},'\\',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'V4K'},'',true,false,true,false)

At this point, I'm looking right at the URI that is decoded here..... The docs.google[.]com link. This is the part that is most interesting to me personally. Here is what the document is:

Looks like obvious Base64.... The interesting part is this. The decoded powershell script has the following line

Interesting that it tells the decoded to start after the dollar signs within this document. A rather benign document in of itself being used to build the final download phase it kind of interesting to me. In case you're wondering, here is decoded Base64.

Hopefully someone finds this as interesting as I do. Until next time, happy hunting!