How to de-obfuscate a huge AutoIT script in less than two minutes

March 11, 2020

Imagine this scenario: you’re researching a malware sample which starts its execution with unpacking the archive (usually RAR or ZIP one) which came with a suspicious email and launching an AutoIT script stored inside the archive. You start analyzing this script and get stuck: its size is more than 150MB! What do you do?

Clearly, you need to de-obfuscate the script. We’ll show you how to do it in less than 2 minutes.

The following tools are required:

The decompiler can process executables which have an embedded AutoIT script inside. But it can’t do anything with external scripts.

To use a decompiler, a standalone AutoIT script has to be embedded inside the executable so the decompiler can be further applied. To do so, let us use the Aut2Exe Converter:

After the conversion is complete, there is a fully working executable which is approximately 155 times smaller than the original obfuscated one:

Instead of writing scripts to manually de-obfuscate the script, let the converter do the entire job and produce clear byte-code in the output.

The next step is to put the executable inside the decompiler and get the clear-text script:

The script file without all the junk is approximately 2800 times smaller than its obfuscated counterpart:

Now the script can be analyzed further.