A multi-stage vbs downloader is found being delivered to targets via malspam campaigns which was used to distribute RevengeRAT and WSHRAT. This infection starts from an MHT file contained in a zip document sent over email, which communicates back to the following open directory server: http://newdocreviewonline.3utilities[.]com/
Decoding the characters shows an html file with some VBScript code inside of it that essentially creates a new script called A6p.vbs (stored in AppData/Local) which it then uses to pull down and execute the stage2, a new script called Microsoft.vbs. This stage2 is downloaded from:
https://scisolinc[.]com/wp-includes/Text/microsoft.vbs and is heavily obfuscated.
The RevengeRAT is known for targeting government entities, financial services organizations, information technology service providers and consultancies.