Analyzing an HTA file

Published: 2018-02-03. Last Updated: 2018-02-03 23:37:12 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I received an Invoice.MHT file attached to an email:

The URL points to an HTA file:

We can see a PowerShell command with BASE64. This can be dumped with base64dump:

As expected, it is UNICODE:

We can try to decode this as UTF-16:

And we get an error, because of some unprintable characters. These can be seen here:

A trick to deal with such characters, is to decode as UTF-16 and encode as ASCII, but ignore errors, like this:

The downloaded executable is not detected by a lot of anti-virus programs.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
0 comment(s)

Comments

Login here to join the discussion.


Diary Archives