#building on MalwareAnalysisForHedgehogs script to decrypt a VBSWorm #Link Here https://www.youtube.com/watch?v=27PfLWG398A import re fname = "unpacked3.vbs" with open(fname) as f: content = f.readlines() for line in content: found = re.findall(r"(X\(\d+\)[&X\(\)\d]+X\(\d+\))", line) #it will not capture if only 1 function call to X() is present; #Single characters are not usually important anyway. for item in found: fCalls = re.findall(r"X\((\d+)\)", item) dsz = '"' for num in fCalls: dsz += chr(int(num)) dsz += '"' line = line.replace(item, dsz) print (line.capitalize())