# Malicious Compiled HTML Help File

**[unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/](https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/)**

Tyler Halfpop May 12, 2022

By [Tyler Halfpop](https://unit42.paloaltonetworks.com/author/tyler-halfpop/)

May 12, 2022 at 3:00 PM

[Category: Malware](https://unit42.paloaltonetworks.com/category/malware-2/)

Tags: [AgentTesla,](https://unit42.paloaltonetworks.com/tag/agenttesla/) [anti-analysis](https://unit42.paloaltonetworks.com/tag/anti-analysis/)

This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/malicious-compiled-html-help-file-agent-tesla/)

## Executive Summary

This blog describes an attack that Unit 42 observed utilizing malicious compiled HTML help
files for the initial delivery. We will show how to analyze the malicious compiled HTML help
file. We will then follow the chain of attack through JavaScript and multiple stages of
PowerShell and show how to analyze them up to the final payload.

The attack is interesting because attackers are often looking for creative ways to deliver their
payloads. Their purpose in doing so is twofold:

An attempt to bypass security products.
An attempt to bypass security training.


-----

Potential victims may have been trained to avoid documents, scripts and executables from
unknown senders, but it is important to be careful of almost any filetype.

This particular attack chain delivered Agent Tesla as the final payload. Agent Tesla is wellknown malware that has been around for a while. Agent Tesla focuses on stealing sensitive
information from a victim’s computer and sending that information to the attacker over FTP,
SMTP or HTTP. It does this primarily via keystroke logging, screen capturing, camera
recording and accessing sensitive data.

Palo Alto Networks customers are protected from malware families using similar antianalysis techniques with Cortex XDR or the Next-Generation Firewall with WildFire and
Threat Prevention security subscriptions.

Related Unit 42 Topics [Malware,](https://unit42.paloaltonetworks.com/category/malware-2/) [Agent Tesla,](https://unit42.paloaltonetworks.com/tag/agenttesla/) [anti-analysis](https://unit42.paloaltonetworks.com/tag/anti-analysis/)

## Table of Contents

Malicious Compiled HTML Help File

Initial PowerShell

Second Stage

Final Agent Tesla Payload

Conclusion

Indicators of Compromise

The initial attack sent a 7zip compressed file named ORDER OF CONTRACT-pdf.7z, which
contained the single malicious compiled HTML help file ORDER OF CONTRACT-pdf.chm
(SHA256: 081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa).
When the victim opens the help file, this apparently innocuous window displays.


-----

Figure


1. Decoy HTML help window.


-----

The help file can be extracted using 7zip to view the contents. The interesting file is the
kkjhk.htm file, which displays the decoy window and executes the code.

Figure 2. The help file contents.

The file contains obfuscated JavaScript that is executed when the file is opened.


-----

Figure 3. Obfuscated JavaScript code in kkjhk.htm.
We can deobfuscate this code by opening the file in Chrome and using the Chrome
Developer Tools. The code above shows that the result that is returned is stored in the r
variable. We can use the JavaScript debugger in Chrome Developer Tools to break on the
return statement. After we have halted execution on our breakpoint we can then view the
contents of the r variable and copy that for further analysis.


-----

Figure 4. Debugging kkjhk.htm in Chrome Developer Tools.
The contents of the r variable show the HTML code to display the decoy message and a
command to execute PowerShell.

Figure 5. Deobfuscated contents of kkjhk.htm.

## Initial PowerShell

The obfuscated PowerShell code is executed in the background when the file is opened.


-----

Figure 6. Initial obfuscated PowerShell.
We can deobfuscate this code so that we can read it more easily by removing the final
obfuscated Invoke-Expression cmdlet (I E X()). Attackers often insert backticks into sensitive
commands like this to avoid simple string recognition because PowerShell ignores these
characters. We can then see that the sample utilizes the PowerShell Test-Connection cmdlet
to ping Google to verify connectivity before continuing. The sample then downloads and
executes code from http://pk-consult[.]hr/N2.jpg.

Figure 7. Deobfuscated initial PowerShell.

## Second Stage

The downloaded content is not actually a jpeg, but rather further PowerShell code that is
executed We can see below that it decompresses and loads several byte arrays in memory


-----

Figure 8. Second stage.
We can modify the sample simply to output the byte arrays to files by commenting out the
execution and writing them to files.

Figure 9. Writing byte arrays to files.

## Final Agent Tesla Payload

We are left with a loader DLL in $decompressedByteArray (SHA256:
0fd2e47d373e07488748ac63d9229fdef4fd83d51cf6da79a10628765956de7a) and a gzip
compressed Agent Tesla in $vhRo (SHA256:


-----

c684f1a6ec49214eba61175303bcaacb91dc0eba75abd0bd0e2407f3e65bce2a). The loader
DLL loads Agent Tesla into the RegAsm.exe process to execute.

This Agent Tesla sample uses FTP and connects to ftp.videoalliance[.]ru for data exfiltration.

## Conclusion

Malicious actors are often looking for creative or different ways to deliver their malicious
payloads. Microsoft Compiled HTML files are another file format that can be abused by
malicious actors in addition to the more common document or script delivery methods used.
It is important to make sure that users are trained to be careful of any attachments,
especially from unknown senders.

Palo Alto Networks customers are protected from malware families using similar anti[analysis techniques with Cortex XDR or the](https://www.paloaltonetworks.com/cortex/cortex-xdr) [Next-Generation Firewall with](https://www.paloaltonetworks.com/network-security/next-generation-firewall) [WildFire and](https://www.paloaltonetworks.com/products/secure-the-network/wildfire)
[Threat Prevention cloud-delivered security subscriptions.](https://www.paloaltonetworks.com/network-security/threat-prevention)

## Indicators of Compromise

3446ec621506d87d372c596e1d384d9fd2c1637b3655d7ccadf5d9f64678681e ORDER OF
CONTRACT-pdf.7z
081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa ORDER OF
CONTRACT-pdf.chm
9ba024231d4aed094757324d8c65c35d605a51cdc1e18ae570f1b059085c2454 N2.jpg
0fd2e47d373e07488748ac63d9229fdef4fd83d51cf6da79a10628765956de7a GC.dll
c684f1a6ec49214eba61175303bcaacb91dc0eba75abd0bd0e2407f3e65bce2a Agent Tesla
dotNet executable

hxxp://pk-consult[.]hr/N2.jpg
ftp.videoalliance[.]ru

**Get updates from**
**Palo Alto**
**Networks!**

Sign up to receive the latest news, cyber threat intelligence and research from us

[By submitting this form, you agree to our Terms of Use and acknowledge our Privacy](https://www.paloaltonetworks.com/legal-notices/terms-of-use)
Statement.


-----