Trojan:JS/GuLoader.P!MTB - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:JS/GuLoader.P!MTB

Trojan:JS/GuLoader.P!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:JS/GuLoader.P!MTB

Classification:

Type:Trojan

Platform:JS

Family:GuLoader

Detection Type:Concrete

Known malware family with identified signatures

Variant:P

Specific signature variant within the malware family

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family GuLoader

Summary:

This is a JavaScript-based GuLoader Trojan, identified by concrete machine learning behavioral analysis, designed as a sophisticated downloader. It uses extensive obfuscation, legitimate Windows utility abuse (e.g., PowerShell, BITS, Mshta, Regsvr32, Rundll32), and persistence mechanisms like scheduled tasks to fetch and execute secondary malicious payloads from external sources.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - exe" -Destination (MACROHSTR_EXT)
 - "${enV`:appdata} (MACROHSTR_EXT)
 - stARt`-slE`Ep 25; (MACROHSTR_EXT)
 - ('.'+'/sw"&CHAR(46)&"exe')") (MACROHSTR_EXT)
 - ttps://tinyurl.com/y5dsc4ag (MACROHSTR_EXT)
 - spp) (SNID)
 - WkU0PW (SNID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: Contractvoorwaarden-pdf.js

6e7d9dd5f3eb0f8af293daeb005c28d7c6a7d20c6aab2d2de616eb8f59f2d7a5

09/01/2026

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system, ensure Windows Defender has fully quarantined/removed the threat, and perform a comprehensive antimalware scan. Investigate for any secondary payloads dropped or persistence mechanisms established by GuLoader. Block the identified malicious URL (tinyurl.com/y5dsc4ag) at the network perimeter and ensure all systems are patched and updated.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 09/01/2026. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:JS/GuLoader.P!MTB - Windows Defender Threat Analysis