|
I received an Invoice.MHT file attached to an email:
The URL points to an HTA file:
We can see a PowerShell command with BASE64. This can be dumped with base64dump:
As expected, it is UNICODE:
We can try to decode this as UTF-16:
And we get an error, because of some unprintable characters. These can be seen here:
A trick to deal with such characters, is to decode as UTF-16 and encode as ASCII, but ignore errors, like this:
The downloaded executable is not detected by a lot of anti-virus programs. Didier Stevens |
DidierStevens 650 Posts ISC Handler Feb 3rd 2018 |
| Thread locked Subscribe |
Feb 3rd 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
