MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Service Execution: Visual Basic
T1059.007 Service Execution: JavaScript
T1105 Ingress Tool Transfer
T1204.002 Malicious Link: Malicious File
The HTML file contains VBScript that heavily obfuscates string building to hide its true intent. This script instantiates COM objects like WScript.Shell and uses ShellExecute, indicating it is designed to download and execute a second-stage payload. The presence of a long base64-like payload further supports this delivery mechanism.
Heuristics 6
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
HTML contains VBScript high HTML_VBSCRIPTStandalone HTML contains VBScript. Local HTML/VBScript documents are a legacy Windows execution surface commonly used in malicious attachments and browser-exploit chains.
-
HTML script instantiates ActiveX/COM objects high HTML_ACTIVEX_OBJECTHTML script calls CreateObject/ActiveXObject, allowing it to reach Windows COM objects such as WScript.Shell, XMLHTTP, or ADODB.Stream.
-
HTML script builds objects and performs synchronous execution high HTML_SCRIPTED_COM_EXECUTIONHTML script dynamically creates objects and calls execution/open methods in a pattern consistent with staged script malware.
-
HTML script carries a long base64-like payload medium HTML_LONG_BASE64_SCRIPT_PAYLOADHTML script contains a long base64-like blob. This is a common payload-staging technique in HTML smuggling and obfuscated script droppers.
-
HTML script uses heavy string-building obfuscation medium HTML_OBFUSCATED_STRING_BUILDERHTML script repeatedly builds short string fragments into variables, a common way to hide object names, URLs, and commands from static scanners.
Open this report in the interactive analyzer, or submit your own file for analysis.