Analyzing an HTA file

I received an Invoice.MHT file attached to an email:

The URL points to an HTA file:

We can see a PowerShell command with BASE64. This can be dumped with base64dump:

As expected, it is UNICODE:

We can try to decode this as UTF-16:

And we get an error, because of some unprintable characters. These can be seen here:

A trick to deal with such characters, is to decode as UTF-16 and encode as ASCII, but ignore errors, like this:

The downloaded executable is not detected by a lot of anti-virus programs.

Didier Stevens
Microsoft MVP Consumer Security


677 Posts
ISC Handler
Feb 3rd 2018

Sign Up for Free or Log In to start participating in the conversation!