Phish:HTML/Obfuse.PC!MTB - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Phish:HTML/Obfuse.PC!MTB

Phish:HTML/Obfuse.PC!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Phish:HTML/Obfuse.PC!MTB

Classification:

Type:Phish

Platform:HTML

Family:Obfuse

Detection Type:Concrete

Known malware family with identified signatures

Variant:PC

Specific signature variant within the malware family

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Phish for HTML/Web platform, family Obfuse

Summary:

This threat, Phish:HTML/Obfuse.PC!MTB, is an obfuscated HTML-based phishing attempt designed to execute malicious code on a victim's system. It leverages scripting objects to create files, execute commands, establish network communication, and exploit Living Off The Land Binaries (LOLBINs) like mshta and regsvr32 for persistence or further payload delivery.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - = CallByName(CreateObject(Dilnerc(" Wx Scx rix ptx. xSx hex xll ")), Dilnerc("Rx xun"), Frame1.Zoom - 99, Jilerdo, Frame1.Zoom - 99) (MACROHSTR_EXT)
 - = Environ("USERPROFILE") & "\" & Application.Name (MACROHSTR_EXT)
 - .Open "G" + "E" + "T", Url (MACROHSTR_EXT)
 - .Run RUNCMD (MACROHSTR_EXT)
 - C:\Pro (MACROHSTR_EXT)
 - http:// (MACROHSTR_EXT)
 - /24.gif (MACROHSTR_EXT)
 - licen1 = "fl" + "st" + "udi" + "o" + ".j" + "s" (MACROHSTR_EXT)
 - Set fso = CreateObject("Scripting.FileSystemObject") (MACROHSTR_EXT)
 - Set fo = fso.CreateTextFile(licen1) (MACROHSTR_EXT)
 - fo.WriteLine ignttext (MACROHSTR_EXT)
 - = "try {WScript.Sleep(14000);var s =  (MACROHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: REQUESTING FOR QUOTATION.hta

6ff1c82dec854fb2bdce8441e8061c4496f0199a3f96ad0b028699aafbc310d1

22/01/2026

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system, perform a full endpoint scan to remove the threat and any generated artifacts, block associated malicious URLs/IPs at the network perimeter, and review system logs for signs of further compromise.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 22/01/2026. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Phish:HTML/Obfuse.PC!MTB - Windows Defender Threat Analysis