Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-02-03 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Analyzing an HTA file

Published: 2018-02-03
Last Updated: 2018-02-03 23:37:12 UTC
by Didier Stevens (Version: 1)
5 comment(s)

I received an Invoice.MHT file attached to an email:

The URL points to an HTA file:

We can see a PowerShell command with BASE64. This can be dumped with base64dump:

As expected, it is UNICODE:

We can try to decode this as UTF-16:

And we get an error, because of some unprintable characters. These can be seen here:

A trick to deal with such characters, is to decode as UTF-16 and encode as ASCII, but ignore errors, like this:

The downloaded executable is not detected by a lot of anti-virus programs.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: mht hta
5 comment(s)
Diary Archives