MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate/Decode Files or Information
The HTML file contains VBScript that instantiates COM objects like WScript.Shell and uses heavy string-building obfuscation to hide its actions. This script likely downloads and executes a second-stage payload, indicated by the 'HTML_LONG_BASE64_SCRIPT_PAYLOAD' and 'HTML_SCRIPTED_COM_EXECUTION' heuristics. The use of ShellExecute API further supports the execution of downloaded content.
Heuristics 6
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
HTML contains VBScript high HTML_VBSCRIPTStandalone HTML contains VBScript. Local HTML/VBScript documents are a legacy Windows execution surface commonly used in malicious attachments and browser-exploit chains.
-
HTML script instantiates ActiveX/COM objects high HTML_ACTIVEX_OBJECTHTML script calls CreateObject/ActiveXObject, allowing it to reach Windows COM objects such as WScript.Shell, XMLHTTP, or ADODB.Stream.
-
HTML script builds objects and performs synchronous execution high HTML_SCRIPTED_COM_EXECUTIONHTML script dynamically creates objects and calls execution/open methods in a pattern consistent with staged script malware.
-
HTML script carries a long base64-like payload medium HTML_LONG_BASE64_SCRIPT_PAYLOADHTML script contains a long base64-like blob. This is a common payload-staging technique in HTML smuggling and obfuscated script droppers.
-
HTML script uses heavy string-building obfuscation medium HTML_OBFUSCATED_STRING_BUILDERHTML script repeatedly builds short string fragments into variables, a common way to hide object names, URLs, and commands from static scanners.
Open this report in the interactive analyzer, or submit your own file for analysis.