malware.hta | Notion

SHA256 : c4e194747d9a268ff56ac1f0708745cbcc164751dcaa24f1a5a15acbe9c4d998

MD5: 8e9e81d1b252d7fa99579e9cf2e4b4ba

Malware bazaar Link :

Virus Total:

Virustotal analysis of the .hta malware

The .hta file has double obfuscation firstly containg a heavily obfuscated vbscript containg a obfuscated string and array named here as “some_array” and “obfuscated_script” variables which are deobfuscated by this deobfuscating loop and then later execute it using javascript.

.hta file executing the VBScript

for i = lbound(some_array) + 1 to ubound(some_array) + 1
            key_char = mid(obfuscated_script, i, 1)
            encrypted_val = some_array(i - 1)
            decrypted_val = chr(encrypted_val - asc(key_char))
            deobfuscatedCode  = deobfuscatedCode  & decrypted_val

VBScript to deobfuscate.

</script>
    <script type="text/javascript">

            setTimeout(function () {
                ShowVBScriptAlert()
            }, 11000)
        
	    </script>

This outputs another obfuscated powershell script with some obvious malicious behavious flags

nop → No profile (faster execution)
w hidden → No visible window
ep bypass → Disables script execution restrictions
e → Runs encoded malicious payload

Powershell script given after the deobfuscation