Threat Research

AgentTesla Spreads Through CHM And PDF Files In Recent Attacks – Cyble

Securonix

Recent AgentTesla campaigns show the malware spreading via CHM and PDF attachments, using a Gzip-compressed CHM lure that downloads a PowerShell script to start the infection. The chain employs layered Base64-encoded payloads and a .NET loader DLL to inject AgentTesla, with a separate PDF method that uses JavaScript and a PPAM file to trigger PowerShell-based downloads.

#AgentTesla #CHM

Keypoints

  • CHM-based campaign delivered in malicious spam uses a Gzip archive containing PO-9596996.gz and an embedded CHM PO-9596996.chm to start the infection.
  • PowerShell-based loader chain downloads nm.txt, then nn.txt, which contains Base64-encoded payloads that eventually load Hur.dll to run AgentTesla.
  • Payloads are heavily obfuscated with layered Base64 encoding and deflation to conceal the malicious code in the delivery chain.
  • AgentTesla is injected into system processes (e.g., RegAsm.exe) to persist and execute the malware on compromised machines.
  • A separate PDF-based campaign uses JavaScript to trigger remote PowerShell and a PPAM file delivered via a fake “Reload” prompt to download AgentTesla.
  • The campaigns target IT/network/telecom sectors and rely on social engineering and document-based infiltration to bypass defenses.

MITRE Techniques

  • [T1566.001] Phishing – “The initial phase of the infection process commences with a malicious spam email…”
  • [T1203] User Execution – “User opens the malicious attachments”
  • [T1059.001] Command and Scripting Interpreter – “PowerShell commands are used to download and execute additional payloads on the system”
  • [T1547.001] Registry Run Keys / Startup Folder – “Malware adding a run entry/Startup for persistence.”
  • [T1036.006] Masquerading – “PowerShell script is masquerading as text file”
  • [T1005] Data from Local System – “The malware collects sensitive data from victim’s system.”
  • [T1437.001] Application Layer Protocol: Web Protocols – “Communicated with C&C server using HTTP”
  • [T1041] Exfiltration Over C2 Channel – “Exfiltration Over C2 Channel”

Indicators of Compromise

  • [Hash] MD5/SHA1/SHA256 – 5df434b86519a9cda49dacc6dd625d8b8fc70c1479004669ed09b35d37816fce, 00dc35f39503924bff98f40ac52100ab2882ed22cdf8a3e4a9ec2f1797736aaa
  • [Hash] MD5/SHA1/SHA256 – 6665f9392350bfa49a2cdee6afcc297b358e396e8291d6d92691c60791f474573a8adc18 00dc35f39503924bff98f40ac52100ab2882ed22cdf8a3e4a9ec2f1797736aaa
  • [IP] IP – 82.115.209.180
  • [Domain] Domain – htlbook.blogspot[.]com/atom[.]xml
  • [Domain] Domain – booking-comdetails.blogspot[.]com/
  • [Filename] PO-9596996.gz, PO-9596996.chm
  • [Filename] lnvoice_1332936990.pdf, lnvoice_1332936990 (1).ppam (copy)

Read more: https://cyble.com/blog/agenttesla-spreads-through-chm-and-pdf-files-in-recent-attacks/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint