{
	"id": "f38372fd-4779-4549-9af1-2f7739f469c9",
	"created_at": "2026-04-06T00:18:52.403518Z",
	"updated_at": "2026-04-10T03:21:32.448695Z",
	"deleted_at": null,
	"sha1_hash": "752ddf9b1ffa4fdb5c30048cbd26996b3280e8f4",
	"title": "Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1485387,
	"plain_text": "Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 22:44:09 UTC\r\nThe Morphisec Labs team has tracked an obfuscated VBScript package in campaigns since March 2020. Initially,\r\nthe malware campaign was focused on targets within Germany, but has since moved on to additional targets–\r\nexcluding any IP address within Russia or North Korea.\r\nThese VBscripts started in March with delivering Zloader, as previously identified, and have since evolved into a\r\ndelivery mechanism for trojans like Ursnif, Qakbot, and Dridex in addition to Zloader.\r\nThe danger here is that VBScript interpreter comes pre-loaded onto every Windows operating system, and has\r\ndone since Windows 98. Interpreted languages like VBScript, Javascript, or really any text-based script will\r\nalways be difficult for scans to determine whether the code is malicious or not. The reason behind this is that there\r\nis an endless number of possibilities to represent the same command or result.\r\nThe campaign that Morphisec Labs has tracked starts with a zipped obfuscated VBScript file attached to an email.\r\nThe rest of the technical details follow in this blog post.\r\nObfuscated VBScript Technical Overview\r\nThe email the target receives contains a ZIP attachment that appeared to be an invoice, specifying the amount of\r\nthe transaction, date, and transaction number. The goal here, as in most of these emails with false invoices, is that\r\nthe target won’t pay careful attention to the email.\r\nhttps://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex\r\nPage 1 of 8\n\nFigure 1: Malspam ZIP attachment\r\nInside the zip file attachment is a heavily obfuscated Visual Basic Script file with a low detection rate.\r\nFigure 2: VirusTotal low detection rate\r\nThe VBScript employed several techniques to evade sandboxes and make the analysis quite difficult. It has many\r\ngarbage variables, comments, decoy functions, and all of the malicious functions are obfuscated.\r\nFigure 3: Heavily obfuscated VBScript\r\nTo simplify our analysis, we wrote a short Python script that removes all the garbage code, comments, and\r\nvariables. The image below illustrates what remained after we ran our Python script.\r\nhttps://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex\r\nPage 2 of 8\n\nFigure 4: After the removal of garbage code, comments, and variables.\r\nIt leaves us with just the Visual Basic Script code. ExecuteGlobal commands receive a string as an argument and\r\nexecute the commands in the string. In this case, the argument is in the form of an array that is being converted to\r\na string using mathematical character manipulation. Those strings are functions that are later used by the script\r\n(lines 32-44). This obfuscation method can be easily extracted by replacing ‘ExecuteGlobal’ with ‘Wscipt.Echo’.\r\nAnti-VM and Anti-Analysis\r\nThe first function calls are used for anti-analysis and anti-virtual machine. If one of the following evasive checks\r\ndetects that it is running under a virtual machine or analysis environment, the attacker logs the IP, deletes the\r\nscript, and pops a fake error message.\r\nhttps://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex\r\nPage 3 of 8\n\nFigure 5: Fake error message.\r\nIn addition to checking if the environment is a virtual machine or a sandbox, the Visual Basic Script also performs\r\nthe following actions:\r\nChecks if the amount of physical memory is lower than 1030MB.\r\nChecks if the amount of logical memory is lower than 60GB\r\nChecks if the number of files in the download folder is lower than 3. This same check is done for the temp\r\nfolder.\r\nChecks if the last boot up time was lower than 10 minutes (some samples use 20 minutes as the time they\r\ncheck for).\r\nChecks if the number of cores is lower than 3.\r\nChecks if the video adapter memory is less than 1500MB.\r\nExtracts the geographical location identifier from the registry path “HKEY_CURRENT_USERControl\r\nPanelInternationalGeoNation” and checks against the excluded GEOID list. Germany was targeted in the\r\nprevious campaign, and more recent ones have excluded Russia and North Korea.\r\nChecks if one of the processes from the list is running on the system (the list changes between versions).\r\nAlso, it checks if the number of running processes is lower than 28.\r\nIn the previous campaign (April 2020, SHA-1: f4683dccf77a37dbba63c4f4088ce1bed5171ac2) the attacker\r\ncreated a shortcut in the temp directory to mark an infected machine.\r\nhttps://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex\r\nPage 4 of 8\n\nFigure 7. First campaign infection mark.\r\nIn the latest campaign, it checks if the VBScript is running on an infected machine by checking if the artifact is\r\nthere. If it detects that it is running on an infected machine it will pop a fake error message, delete the script, and\r\nexit. If not, it will create a new shortcut to mark the infected machine with the new campaign.\r\nFigure 8: Checks if the machine is already infected\r\nIn the final phase (the last three function calls: line 42-44), the script drops a zip folder by using the same\r\ndecoding technique as used for decoding the functions. The zip folder consists of one dll, which is the payload.\r\nThe others are decoys to hamper analysis.\r\nFigure 9: Dropped ZIP\r\nNext, it unzips the folder and runs the dll using rundll32 or regsvr32.\r\nhttps://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex\r\nPage 5 of 8\n\nFigure 10: Runs the script using rundll32\r\nConclusion\r\nSimple obfuscation, or even less-simple obfuscation, of interpreted languages like VBScript are just enough for\r\nattackers to bypass scanning solutions. The simple reason is that, because these are text-based languages, the\r\namount of possibly suspicious terms is endless.\r\nNo matter what obfuscation is used, however, Morphisec’s moving target defense technology prevents the\r\nexecution of the evasive payload, such as Zloader, Ursnif, Qakbot, or Dridex, before any damage is done.\r\nIOCs (SHA-1)\r\nEmail:\r\n2a80a3357994b0ea24832d8aa7c18d4efdaf701b\r\na12e1fec7957efa07498649844ed26b91c1ef0d6\r\nba212c1819fef115142ba0ec545d376f8c998cea\r\nVBS:\r\nef3d638377e245d7f388b41aad5e3525a8ccd2ed\r\ndffea6584a9a89723ae81864cd7a68976b49e62c\r\nee29a9908064d1a6bd54898732e4f8c8606914ba\r\n3f8ddfac37a997a113e131984f189e151ec990b4\r\n14c1aa17661931bed55bdeebc7c3df8d2f03464c\r\n733fc14cfb234f5cd16e05909a5f02e56801d780\r\n62439824c1f73cce160b24ce2ecdc422637dad72\r\nhttps://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex\r\nPage 6 of 8\n\na8354753917ad5b417833a24eae8765fd8655f57\r\n0275719274a656be9111408fa73c7145ad16b04d\r\nf13e44b026ad0e1bc08afbf25f17411bb20566e6\r\n809ec6d35efc2b64b85c85a6e26efe7e84bb6b7a\r\nd4b3f7334a8405c0458d86a5a7ac0c97619a93c0\r\nDll:\r\n64c076da46b169c13d1e933f5f420856fe2072dc\r\n8eb9adde4c5f109f7c9a27285b5da091773ad4eb\r\nf89fc63457ce4914b5e41ed0b17af0a9e1ac6119\r\ne3e98f6f780c54a86af046a8612b984dbbe16a24\r\nefa00fb74bd6f635cfd4400df3c56fa35caae10f\r\nba6380216f7e62e3e32d129210a9f13f9bc4f3b5\r\n903019f30ae78d6052c14ecb875f4c35c2ae6404\r\n5a7d276a64bb12b1b312c77da71360b88f793985\r\neb992300f7fd49d3723737a39782bd4c46b4e566\r\ne8b3ec66c28dedaa18b968bcd267a2c912a92e87\r\nAbout the author\r\nArnold Osipov\r\nMalware Researcher\r\nhttps://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex\r\nPage 7 of 8\n\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex\r\nhttps://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex"
	],
	"report_names": [
		"obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex"
	],
	"threat_actors": [],
	"ts_created_at": 1775434732,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/752ddf9b1ffa4fdb5c30048cbd26996b3280e8f4.pdf",
		"text": "https://archive.orkl.eu/752ddf9b1ffa4fdb5c30048cbd26996b3280e8f4.txt",
		"img": "https://archive.orkl.eu/752ddf9b1ffa4fdb5c30048cbd26996b3280e8f4.jpg"
	}
}