{ "id": "5f7ad20b-57e0-4b05-a2ba-fdab2ff82bdd", "created_at": "2026-04-06T00:14:42.127118Z", "updated_at": "2026-04-10T13:11:37.393173Z", "deleted_at": null, "sha1_hash": "62ae56cfb569b786c3ba0420c26e78fa1103d664", "title": "Dissecting Malicious CHM Files and Performing Forensic Analysis – Cyber Forensicator", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 496679, "plain_text": "Dissecting Malicious CHM Files and Performing Forensic Analysis\r\n– Cyber Forensicator\r\nPublished: 2019-01-20 · Archived: 2026-04-05 22:35:58 UTC\r\nLet’s continue to dissect unusual malicious email attachments used by modern APT. This time I’m going to focus\r\non malicious CHM files used by Silence APT. If you haven’t heard about it for some reason, I would recommend\r\nto read this detailed report by Group-IB, as this APT attacks not only Russian banks, but also banks in more than\r\n25 countries.\r\nIn this post I’ll focus on two recent campaigns – in both of them the attackers used weaponized CHM files:\r\nMaket dizayna debitovoy korp karty.CHM (Debit corporate card design template)\r\nSHA256:\r\nff8b4ceb6b27a339c8ce0ee949f569cfe285d55366dc8763db69e87fa0815dab\r\nПриглашение на конференцию 13012019.chm (Conference invitation 13012019)\r\nSHA256:\r\nc46b1fb735529986b51b789507106b8a81abba5bbdceb9263e99dd87c1866729\r\nLet’s start from what CHM files are. These are Microsoft Compiled HTML Help files. CHM files consist of a\r\ncollection of HTML pages, an index and other navigation tools. As they are compressed, we can use, for example,\r\n7-Zip to browse their contents, let’s start from the first file, “Maket dizayna debitovoy korp karty.CHM”:\r\nThe most interesting file is start.htm, it can be examined with a text or hex editor of your choice, here I use 010\r\nEditor, let’s look at the most interesting part of the file:\r\nAs you can see, we already got quite a lot of info that can help us to create IoC (Indicators of Compromise) list,\r\nbut it looks a bit obfuscated. The thing is – the attackers used an environment variable string substitution,\r\nobfuscation technique FIN7 started to use in June 2017. We can easily deobfuscate it using echo command:\r\nSo, once the victim opens the file, the script inside uses schtasks.exe to create a task with the name “4”, which\r\ndownloads and runs “mnms” from 146.0.77[.]104, then the task is deleted. What’s “mnms”? It’s a VB script,\r\nwhich will download the next stage.\r\nLet’s look inside another CHM file:\r\nhttps://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/\r\nPage 1 of 3\n\nWe see the same environment variable string substitution trick here, we can use echo command again to\r\ndeobfuscate it:\r\nThis time there is no tasks, but still something interesting. Once opened by the victim, the script inside the CHM\r\nfile will copy cmd.exe to %APPDATA% as dmw.exe, then it uses it to download and run “rogr.php” from\r\n185.70.186[.]146. Again, “rogr.php” is a VB script, which will download the next stage.\r\nIf we compare both “start.htm” files, we can see that they have a lot in common. Of course, a good start is\r\nenvironment variable string substitution used for obfuscation in both files, it’s not very common technique. Also,\r\nsome parts of the files are almost the same, but at the same time they are quite unique, it seems the attackers used\r\nthe same template or software to create them. For example, let’s look at the beginnings of both files:\r\nMaket dizayna debitovoy korp karty.CHM\r\nПриглашение на конференцию 13012019.chm\r\nAs you can see, they are almost the same. Let’s continue with a bit of forensic analysis. Usually it takes some time\r\nfor the attackers to finish the attack. Sometimes it’s a week or two, sometimes it’s three months. It means that\r\nthere may be no artifacts of file opening, like MRU or LNK. Of course, CHM files are not very common, so you\r\nhave good chances of finding quite a lot of artifacts of opening these files by the users. Anyway, I would like to\r\nfocus on most unique artifacts left from execution of files under analysis.\r\nLet’s go back to our first file, “Maket dizayna debitovoy korp karty.CHM”. It creates a task and then deletes it. It\r\nmeans we can hardly find task file under C:\\Windows\\System32\\Tasks, same can be said about VSCs, as it’s\r\ncreated, ran and deleted immediatelly. But it can be a good idea to check Microsoft-Windows-TaskScheduler%4Operational.evtx, as it records everything regarding scheduled tasks, here is a good example:\r\nhttps://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/\r\nPage 2 of 3\n\nAs for the second file, “Приглашение на конференцию 13012019.chm”, as you remember, it creates a file called\r\n“dmw.exe”, that is a copy of “cmd.exe”. As it doesn’t delete it, this can be used as an IoC:\r\nEven if this file was deleted, you still have quite a lot of evedence sources of its execution, like Prefetch,\r\nShimcache, etc.\r\nAbout the author\r\nOleg Skulkin, GCFA, MCFE, ACE, a DFIR enthusional (enthusiast + professional), Windows Forensics\r\nCookbook, Practical Mobile Forensics and Learning Android Forensics co-author.\r\nSource: https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-pe\r\nrforming-forensic-analysis/\r\nhttps://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/" ], "report_names": [ "silence-dissecting-malicious-chm-files-and-performing-forensic-analysis" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434482, "ts_updated_at": 1775826697, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/62ae56cfb569b786c3ba0420c26e78fa1103d664.pdf", "text": "https://archive.orkl.eu/62ae56cfb569b786c3ba0420c26e78fa1103d664.txt", "img": "https://archive.orkl.eu/62ae56cfb569b786c3ba0420c26e78fa1103d664.jpg" } }