First we want to check where the final URL unravels to from the URL shortener bit.ly. VirusTotal easily shows this for us:

image.png

Based off the extension this is likely a PowerShell script, and after analyzing the URL, we can confirm from the final URL: https://urlscan.io/responses/ca50cc0456846fc7412ef6dbe94c54e5130db5ea988f7b6f27576d22724b24a8/

We can see some prevalence by who else is analyzing this URL from public scans:

image.png

Once we have the script we can start analyzing this part of the attack, and I think we’re about to get rick rolled:

image.png

This is a quick script to decode the encoded data variable the from the script

#Imports
import base64
import gzip
from io import BytesIO

# Base64-encoded and gzipped data
data = 'The base64 chunk of data' 

# Decode the base64 string
binary_data = base64.b64decode(data)

# Decompress the gzipped data
with gzip.GzipFile(fileobj=BytesIO(binary_data)) as f:
    decompressed_data = f.read()

# Convert the decompressed data to a string
decoded_string = decompressed_data.decode('utf-8')

# Print the decoded string
print(decoded_string)

This is the decoded output from the script:

image.png

image.png

We also used a cyberchef recipe for easier sharing, showing the same decoded data: