Reader Chris submitted a PowerShell log. These are interesting too. Here's what we saw:
A typical downloader command.
When I tried to download this using wget and the URL, I got a 404 page.
Next, I did a search for the URL on the free version of VirusTotal:
The URL has some detections. But more important: there is a link to the downloaded file. this can help me to find the actual malware that was downloaded:
Notice that the detection is 0, but that it has a very low community score. It's a very small file: 564 bytes.
And it turns out to be HTML:
This time, VirusTotal too can't help me to identify the file: the hash of that small HTML file is the same as the hash of the file I downloaded. It's also a 404.
It's something that happens more on VirusTotal: "404" downloads being scored as malware.
That doesn't mean that the initial file (PowerShell script) wasn't malware. But what was actually downloaded, wasn't malware, but a 404 file. Probably because the compromised server was cleaned.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.comDidierStevensLabs.com