Guys from Open Analysis have published a video of walking through manually decoding a malicious vbs script that was submitted to them by a viewer. These scripts were being delivered via phishing campaigns and were bundled within encrypted word (docx) documents.
oletools – github.com/decalage2/oletools
oledump – blog.didierstevens.com/2017/03/07/update-oledump-py-version-0-0-27/
psparser – github.com/phishme/malware_analysis/blob/master/scripts/psparser.py
VBCode indenter – vbindent.com/
Windows RE & Internals Lookup – cse.google.com/cse/publicurl?cx=007295992698080651277:dwdifwshwp0
malware-jail – github.com/HynekPetrak/malware-jail