Reversing a malicious VBS file(with python)

Today we received a generic phish contained a link to a zip archive.

After extracting the files there was a .vbs script inside with an interesting format. On first glance this looks to be charchode:

However this is not the case, there is a function for char code but on further examination these are all values to subtract from a main value:

Function xucb turns the charcode to clear, function fhuba combines all the data for the wscript call for powershell.

At the bottom we can see the charcode 'key' to subtract the above values from to get the true charcode values.

This is simply done in python, take all the values an put them into an array. Then for each value in the array, subtract that from the key(132).

And it prints out this little gem:

Replace all newlines/crlf with regex:

This was a pretty simple one to reverse, but had an interesting format I haven't seen in a bit.