{
	"id": "eff5a6d4-b60e-4b0b-8818-fb5dfd744251",
	"created_at": "2026-04-06T01:29:54.157959Z",
	"updated_at": "2026-04-10T03:20:22.868183Z",
	"deleted_at": null,
	"sha1_hash": "b6f1f9b467ba523b85acc4be91adf16ae82378c6",
	"title": "Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 733509,
	"plain_text": "Harmful Help: Analyzing a Malicious Compiled HTML Help File\r\nDelivering Agent Tesla\r\nBy Tyler Halfpop\r\nPublished: 2022-05-12 · Archived: 2026-04-06 00:26:41 UTC\r\nExecutive Summary\r\nThis blog describes an attack that Unit 42 observed utilizing malicious compiled HTML help files for the initial\r\ndelivery. We will show how to analyze the malicious compiled HTML help file. We will then follow the chain of\r\nattack through JavaScript and multiple stages of PowerShell and show how to analyze them up to the final\r\npayload.\r\nThe attack is interesting because attackers are often looking for creative ways to deliver their payloads. Their\r\npurpose in doing so is twofold:\r\nAn attempt to bypass security products.\r\nAn attempt to bypass security training.\r\nPotential victims may have been trained to avoid documents, scripts and executables from unknown senders, but it\r\nis important to be careful of almost any filetype.\r\nThis particular attack chain delivered Agent Tesla as the final payload. Agent Tesla is well-known malware that\r\nhas been around for a while. Agent Tesla focuses on stealing sensitive information from a victim’s computer and\r\nsending that information to the attacker over FTP, SMTP or HTTP. It does this primarily via keystroke logging,\r\nscreen capturing, camera recording and accessing sensitive data.\r\nPalo Alto Networks customers are protected from malware families using similar anti-analysis techniques with\r\nCortex XDR or the Next-Generation Firewall with WildFire and Threat Prevention security subscriptions.\r\nMalicious Compiled HTML Help File\r\nThe initial attack sent a 7zip compressed file named ORDER OF CONTRACT-pdf.7z, which contained the single\r\nmalicious compiled HTML help file ORDER OF CONTRACT-pdf.chm (SHA256:\r\n081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa). When the victim opens the help file,\r\nthis apparently innocuous window displays.\r\nhttps://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/\r\nPage 1 of 7\n\nFigure 1. Decoy HTML help window.\r\nThe help file can be extracted using 7zip to view the contents. The interesting file is the kkjhk.htm file, which\r\ndisplays the decoy window and executes the code.\r\nhttps://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/\r\nPage 2 of 7\n\nFigure 2. The help file contents.\r\nThe file contains obfuscated JavaScript that is executed when the file is opened.\r\nFigure 3. Obfuscated JavaScript code in kkjhk.htm.\r\nhttps://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/\r\nPage 3 of 7\n\nWe can deobfuscate this code by opening the file in Chrome and using the Chrome Developer Tools. The code\r\nabove shows that the result that is returned is stored in the r variable. We can use the JavaScript debugger in\r\nChrome Developer Tools to break on the return statement. After we have halted execution on our breakpoint we\r\ncan then view the contents of the r variable and copy that for further analysis.\r\nFigure 4. Debugging kkjhk.htm in Chrome Developer Tools.\r\nThe contents of the r variable show the HTML code to display the decoy message and a command to execute\r\nPowerShell.\r\nFigure 5. Deobfuscated contents of kkjhk.htm.\r\nInitial PowerShell\r\nThe obfuscated PowerShell code is executed in the background when the file is opened.\r\nhttps://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/\r\nPage 4 of 7\n\nFigure 6. Initial obfuscated PowerShell.\r\nWe can deobfuscate this code so that we can read it more easily by removing the final obfuscated Invoke-Expression cmdlet (I E X()). Attackers often insert backticks into sensitive commands like this to avoid simple\r\nstring recognition because PowerShell ignores these characters. We can then see that the sample utilizes the\r\nPowerShell Test-Connection cmdlet to ping Google to verify connectivity before continuing. The sample then\r\ndownloads and executes code from http://pk-consult[.]hr/N2.jpg.\r\nFigure 7. Deobfuscated initial PowerShell.\r\nSecond Stage\r\nThe downloaded content is not actually a jpeg, but rather further PowerShell code that is executed. We can see\r\nbelow that it decompresses and loads several byte arrays in memory.\r\nhttps://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/\r\nPage 5 of 7\n\nFigure 8. Second stage.\r\nWe can modify the sample simply to output the byte arrays to files by commenting out the execution and writing\r\nthem to files.\r\nFigure 9. Writing byte arrays to files.\r\nFinal Agent Tesla Payload\r\nWe are left with a loader DLL in $decompressedByteArray (SHA256:\r\n0fd2e47d373e07488748ac63d9229fdef4fd83d51cf6da79a10628765956de7a) and a gzip compressed Agent Tesla\r\nin $vhRo (SHA256: c684f1a6ec49214eba61175303bcaacb91dc0eba75abd0bd0e2407f3e65bce2a). The loader\r\nDLL loads Agent Tesla into the RegAsm.exe process to execute.\r\nThis Agent Tesla sample uses FTP and connects to ftp.videoalliance[.]ru for data exfiltration.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/\r\nPage 6 of 7\n\nMalicious actors are often looking for creative or different ways to deliver their malicious payloads. Microsoft\r\nCompiled HTML files are another file format that can be abused by malicious actors in addition to the more\r\ncommon document or script delivery methods used. It is important to make sure that users are trained to be careful\r\nof any attachments, especially from unknown senders.\r\nPalo Alto Networks customers are protected from malware families using similar anti-analysis techniques with\r\nCortex XDR or the Next-Generation Firewall with WildFire and Threat Prevention cloud-delivered security\r\nsubscriptions.\r\nIndicators of Compromise\r\n3446ec621506d87d372c596e1d384d9fd2c1637b3655d7ccadf5d9f64678681e ORDER OF CONTRACT-pdf.7z\r\n081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa ORDER OF CONTRACT-pdf.chm\r\n9ba024231d4aed094757324d8c65c35d605a51cdc1e18ae570f1b059085c2454 N2.jpg\r\n0fd2e47d373e07488748ac63d9229fdef4fd83d51cf6da79a10628765956de7a GC.dll\r\nc684f1a6ec49214eba61175303bcaacb91dc0eba75abd0bd0e2407f3e65bce2a Agent Tesla dotNet executable\r\nhxxp://pk-consult[.]hr/N2.jpg\r\nftp.videoalliance[.]ru\r\nSource: https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/\r\nhttps://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/"
	],
	"report_names": [
		"malicious-compiled-html-help-file-agent-tesla"
	],
	"threat_actors": [],
	"ts_created_at": 1775438994,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6f1f9b467ba523b85acc4be91adf16ae82378c6.pdf",
		"text": "https://archive.orkl.eu/b6f1f9b467ba523b85acc4be91adf16ae82378c6.txt",
		"img": "https://archive.orkl.eu/b6f1f9b467ba523b85acc4be91adf16ae82378c6.jpg"
	}
}