Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Reader Malware Submission: MHT File Inside a ZIP File

Published: 2018-12-08
Last Updated: 2018-12-08 23:21:05 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Reader Jason submitted a ZIP file received via email. It contains an MHT file, an when Jason received it, it had 0 detections on VirusTotal.

When an analyst receives an unknown file with 0 detections on VirusTotal, the analyst will often try to determine of the file is malicious or not via other means than anti-virus.

For MHT files, Xavier has already explained how they can be malicious in this diary entry.

I take a look at the ZIP file with my zipdump utility:

The extension .mht indicates that it is an MHT file. I use option -e to get more information on the content of the file (together with option -S , to use a comma as separator):

It's a small file (201 bytes decompressed), and it contains ASCII text: 27 whitespace characters and 174 printable ASCII characters (no NULL bytes, no control characters and no non-ASCII bytes).

An ASCII dump (option -a) confirms it's text:

And thus I can safely extract the content to my console:

As Xavier explained in his diary entry on MHT files, this MHT file, when opened, will download and open a JAR file (provided Java is installed).

Files that purport to be documents, but actually download and execute programs, are clearly malicious. I often see that very small files like this MHT file, have 0 detections on VirusTotal when they are submitted right at the beginning of the malware campaign. It's only later, when AV definitions get updated, that the detection rate on VirusTotal increases.

When I performed the initial analysis, the JAR file was no longer available.


Didier Stevens
Senior handler
Microsoft MVP

Keywords: malware mht
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

A Dive into malicious Docker Containers
Dec 7th 2018
2 days ago by Remco (0 comments)

Is it Time to Uninstall Flash? (If you haven't already)
Dec 6th 2018
3 days ago by Rob VandenBrink (2 comments)

Campaign evolution: Hancitor changes its Word macros
Dec 5th 2018
4 days ago by Brad (0 comments)

Malspam pushing Lokibot malware
Dec 4th 2018
5 days ago by Brad (0 comments)

Word maldoc: yet another place to hide a command
Dec 3rd 2018
6 days ago by DidierStevens (1 comment)

View All Diaries →

Latest Discussions

Dedicated development team
created Dec 5th 2018
4 days ago by Anonymous (0 replies)

virtual server design
created Nov 28th 2018
1 week ago by Anonymous (0 replies)

Intern needs help
created Nov 23rd 2018
2 weeks ago by Anonymous (0 replies)

CVE Links Are Broken
created Nov 17th 2018
3 weeks ago by George (1 reply)

Mobile Forensics tools - suggestions?
created Oct 8th 2018
2 months ago by Gary (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
11 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)