Dangerously thinBasic

Posted on 2022-02-24 by Dmitry Melikov


Some time ago, we discovered a novel payload delivery method in malicious documents. The focus of this article is to explore this technique via samples of the document. The treat sequencing follows the chain of a malicious spreadsheet that downloads an archive containing thinBasic binaries and a malicious thinBasic script.

Image 1: Coercive Lure
File TypeMicrosoft Excel document 

At the time, the file had a relatively low detection rate across AV vendors on VirusTotal.

Image 2: Low AV detection


The volume of samples submitted by VirusTotal users along with consistently low detections indicates a new wave of maldocs being distributed.

Image 3: Embedded logic


To download the payload, the macro connects to a remote server (hxxp:// This address within the sample is shown in the graphic above. After the payload is retrieved, it is executed by the same original macro.

File TypeZip archive

The retrieved archive contains an interpreter for the thinBasic scripting language and a malicious script for downloading and running the next stage payload.

Image 4: Content of payload archive


The image below displays and highlights the suspicious contents of the thinBasic script.

Image 5: thinBasic script


The script generates a unique URL address and downloads it from the server, following this observed pattern:

{ URL address / Unique identifier for the downloader file/ specific word from the script / 9 digit randomly generated value }

What follows are examples of generated addresses:


Unfortunately, we were unable to obtain the final payload of this campaign. However, the vector of infection and the unusual way of loading the payload, present interesting insights on future distributions. Fetching a payload through this scripting language (thinBasic) is an obscure delivery method not commonly seen in maldoc driven campaigns.




Samples on InQuest Labs.

in-the-wild threat-hunting