After de-obfuscating the encrypted layers of code, the Trojan unravels to a simple script with downloading functionality. The script also includes junk instructions to make analysis ‘harder’ e.g. if 1=2 then Wscript.echo “Impossible!”
Why do they even bother ?!
The link in the script brings us to a password stealing Trojan that drops this picture.
The malware authors have succumbed to such a low point in their miserable lives that they had to resort to such pictures to fool people. Sophos detects the obfuscated VBscript as Troj/Dloadr-CCE and the password stealing Trojan as Troj/PWS-AQG.