Threat Level: green Handler on Duty: Richard Porter

SANS ISC: Analyzing an HTA file - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing an HTA file

I received an Invoice.MHT file attached to an email:

The URL points to an HTA file:

We can see a PowerShell command with BASE64. This can be dumped with base64dump:

As expected, it is UNICODE:

We can try to decode this as UTF-16:

And we get an error, because of some unprintable characters. These can be seen here:

A trick to deal with such characters, is to decode as UTF-16 and encode as ASCII, but ignore errors, like this:

The downloaded executable is not detected by a lot of anti-virus programs.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

218 Posts
ISC Handler
What are &h.. codes?
DidierStevens

0 Posts Posts
What are &h.. codes?
Anonymous
Posts
Quoting Anonymous:What are &h.. codes?


Example: Chr(&H2E)

The 'H' is for 'hexadecimal'.

0 1 2 3 4 5 6 7 8 9 A B C D E F
2 ! " # $ % & ' ( ) * + , - . /
3 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
4 @ A B C D E F G H I J K L M N O
5 P Q R S T U V W X Y Z [ \ ] ^ _
6 ` a b c d e f g h i j k l m n o
7 p q r s t u v w x y z { | } ~ ⌂

So, '2E' is the ASCII code for the '.' character.

Note that '20' is a "blank", and '21' is "shriek".

Sigh!

While entering/editing the above, the input-window uses a mono-spaced font.
But, displaying the message is done in a different font,
making the table appear "ragged".
Anonymous
Posts
As explained by an anonymous reader, these are hexadecimal numbers.

I posted a new diary entry with more details: isc.sans.edu/forums/diary/Analyzing+an+HTA+file+Update/23311/
DidierStevens

218 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!