(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

I had to help out someone with this sample.

It contains obfuscated strings like these:

Notice the Like operator. This is a strong indication that the strings are obfuscated by adding extra characters (e.g. the string left of the Like keyword). If we remove all these extra characters, we end up with this:

This PowerShell command executes a downloaded EXE and bypasses UAC with the eventviewer method.

If you want more details on the steps I took to deobfuscate these strings, you can watch this video:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM UrbanCode Deploy CVE-2016-2942 Security Bypass Vulnerability
 
IBM UrbanCode Deploy CVE-2016-2941 Local Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status