Advent of Cyber 2025 - Day 21 - Malware Analysis - Malhare.exe
Malware Analysis: Reverse-Engineering a Malicious HTA
Day 21 – TryHackMe | Advent of Cyber 2025
Introduction
In Wareville, thousands of files flow through systems daily—PDF resumes, DOCX reports, CSV spreadsheets, financial documents, and executables. Most are harmless.
But on Day 21 of TryHackMe’s Advent of Cyber 2025, the TBFC SOC team discovered a malicious HTA (HTML Application) disguised as a salary survey. This task focuses on static malware analysis, reverse-engineering the HTA, and uncovering its data exfiltration techniques.
Learning Objectives
By completing this task, you will learn to:
-
Understand HTA files and how they operate
-
Identify malicious behavior inside HTA files
-
Analyse VBScript functions
-
Detect encoded and encrypted payloads
-
Trace data exfiltration techniques
-
Recognize social engineering and typosquatting
What Are HTA Files?
HTA files are small desktop applications using:
-
HTML
-
CSS
-
JavaScript or VBScript
Unlike normal web pages, HTAs:
-
Run directly on Windows
-
Execute via mshta.exe
-
Have access to system resources
Legitimate Uses
-
Automating administrative tasks
-
Creating lightweight internal tools
-
IT support utilities
Attackers exploit HTAs for malware campaigns because of their system access.
HTA File Structure
-
HTA Declaration – Application metadata (name, window style, behavior)
-
User Interface (HTML/CSS) – What the user sees
-
Script Section (VBScript/JavaScript) – Executes the logic
Attackers hide malicious code mainly in the script section.
How Attackers Weaponize HTA Files
HTAs are often used for:
-
Initial access (phishing attachments)
-
Payload downloaders
-
Command execution
-
Living-off-the-Land attacks
Common malicious traits:
-
VBScript or PowerShell execution
-
Base64-encoded payloads
-
Calls to built-in Windows tools
-
Hidden or minimized execution windows
Incident Background: The Fake Salary Survey
The SOC team noticed multiple compromised elf laptops. The common factor:
-
📩 An email with an HTA attachment
-
📄 Disguised as a salary survey
The goal: analyse the HTA file to determine its true function.
Static Analysis Approach
To safely inspect the file:
Step 1: HTA Metadata
The <head> section titled the app:
“Best Festival Company Developer Survey”
This enhances the social engineering effect.
Step 2: VBScript Functions
The HTA contained five functions:
-
window_onLoad – runs on HTA launch
-
getQuestions – downloads survey questions and executes content
-
provideFeedback – gathers system info and sends externally
-
decodeBase64 – decodes Base64 data
-
RSBinaryToString – converts binary to readable strings
Step 3: Suspicious Objects
Dangerous Windows objects created:
-
InternetExplorer.Application – external web requests
-
WScript.Network – collects system details
-
WScript.Shell – executes commands
Social Engineering & Typosquatting
The survey UI promised a trip to the South Pole with 4 simple questions.
Questions downloaded from:
Notice the extra “i” in festiival — a classic typosquatting technique.
Data Exfiltration
Collected information:
-
ComputerName
-
UserName
Exfiltrated via GET request to /details.
Payload execution:
This confirms remote code execution.
Obfuscation & Decryption
The downloaded payload used:
-
Base64 encoding
-
ROT13 encryption
After decoding and decrypting, the final flag was revealed:
Flag: THM{Malware.Analysed}
Key Takeaways
-
HTA files are powerful attack vectors
-
Social engineering can exist inside code
-
Encoding and encryption are often layered
-
Always analyze scripts before execution
-
Typosquatting is subtle but effective
Conclusion
A seemingly harmless HTA survey was used to:
-
Gather system information
-
Execute hidden PowerShell commands
-
Exfiltrate data to a malicious server
Understanding HTA internals and static analysis is essential for SOC analysts and malware researchers.
For further practice, TryHackMe recommends the MalDoc: Static Analysis room.
Comments
Post a Comment