Malware Analysis - Unpacking a Multilayered VBScript Worm

1. #building on MalwareAnalysisForHedgehogs script to decrypt a VBSWorm
2. #Link Here https://www.youtube.com/watch?v=27PfLWG398A
3.  
4. import re
5. fname = "unpacked3.vbs"
6. with open(fname) as f:
7.     content = f.readlines()
8.     for line in content:
9.         found = re.findall(r"(X\(\d+\)[&X\(\)\d]+X\(\d+\))", line)  
10.             #it will not capture if only 1 function call to X() is present;
11.             #Single characters are not usually important anyway.
12.         for item in found:
13.             fCalls = re.findall(r"X\((\d+)\)", item)
14.             dsz = '"'
15.             for num in fCalls:
16.                 dsz += chr(int(num))
17.             dsz += '"'
18.            
19.             line = line.replace(item, dsz)
20.         print (line.capitalize())
21.  
22.