diff --git a/atomics/T1193/PhishingAttachment.xlsm b/atomics/T1193/PhishingAttachment.xlsm
new file mode 100755
index 00000000..ee236ea0
Binary files /dev/null and b/atomics/T1193/PhishingAttachment.xlsm differ
diff --git a/atomics/T1193/T1193.md b/atomics/T1193/T1193.md
index 70875273..da61c338 100644
--- a/atomics/T1193/T1193.md
+++ b/atomics/T1193/T1193.md
@@ -15,7 +15,7 @@ Data Sources: File monitoring, Packet capture, Mail server, Network intrusion de
 ## Atomic Tests
 
 - [Atomic Test #1 - Download Spearphishing Attachment](#atomic-test-1---download-spearphishing-attachment)
-
+- [Atomic Test #2 - Download Spearphishing Attachment - VBScript](PhishingAttachment.xlsm)
 
 <br/>
 
@@ -26,10 +26,26 @@ this error is happening, but I wanted to at least get the Excel file for anyone
 
 **Supported Platforms:** Windows
 
-
 #### Run it with `powershell`!
 ```
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest -Uri https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingInvoice.xlsm?raw=true -OutFile PhishingInvoice.xlsm
 ```
 <br/>
+
+## Atomic Test #2 - Download Spearphishing Attachment - VBScript
+The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location.
+
+**Supported Platforms:** Windows
+
+#### Run it with `powershell`!
+```powershell
+$url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
+$fileName = 'PhishingAttachment.xlsm'
+New-Item -Type File -Force -Path $fileName | out-null
+$wc = New-Object System.Net.WebClient
+$wc.Encoding = [System.Text.Encoding]::UTF8
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+($wc.DownloadString("$url")) | Out-File $fileName
+```
+<br/>
\ No newline at end of file
diff --git a/atomics/T1193/T1193.yaml b/atomics/T1193/T1193.yaml
index f4fe298a..7565f720 100644
--- a/atomics/T1193/T1193.yaml
+++ b/atomics/T1193/T1193.yaml
@@ -17,3 +17,20 @@ atomic_tests:
     command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest -Uri https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingInvoice.xlsm?raw=true -OutFile PhishingInvoice.xlsm
+
+- name: Download Phishing Attachment - VBScript
+  description: |
+    The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). 
+    The below will successfully download the macro-enabled Excel file to the current location.
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    command: |
+      $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
+      $fileName = 'PhishingAttachment.xlsm'
+      New-Item -Type File -Force -Path $fileName | out-null
+      $wc = New-Object System.Net.WebClient
+      $wc.Encoding = [System.Text.Encoding]::UTF8
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      ($wc.DownloadString("$url")) | Out-File $fileName
\ No newline at end of file