Security researcher My name Is discovered a new spam campaign distributing that uses an uncommon attachment to download and install what appears to be a Brazilian banking Trojans onto an affected computer.  While most recent malspam campaigns have been using JS or VBS attachments, this particular campaign is using malicious CHM documentation files that execute PowerShell commands to download and install malware.

Malspam Pretends to be Whats from WhatsApp.com

This current spam campaign pretends to be email from WhatsApp that contains a conversation history and has subjects similar to "Conversa do WhatsApp com". These emails will contain a link, which when clicked by a user that is using a Brazilian IP address, will download a zip file that is named in the format Whats_email@example.com.zip. Inside these zip files is a malicious CHM file with a name in the format of Whats_email@example.com.chm.

Spam Email
Spam Email

When these malicious CHM files are opened, they will download and install malware as described in the next section.

Using Malicious CHM Files to Install Malware

CHM files are compiled html files that are most commonly used as documentation for various features of Windows. When a Windows user opens a CHM file, Windows will launch the Microsoft HTML Help program (hh.exe) in order to display the compiled HTML file. Below is an example of the legitimate Printer Management documentation from pmc.chm that is bundled with Windows.

Legitimate pmc.CHM Help File
Legitimate pmc.CHM Help File

In the case of this spam campaign, the distributors modified the legitimate TCP IPv4 help file, tcpip.CHM, to include an embedded OCX object that launches a PowerShell command when the documentation is viewed. This technique is not new and was first described in 2005, and a tutorial on how to use the pentesting tool Kautilya to create this malicious CHM file is described here. The use of malicious CHM files can be a functional method of bypassing AV software, as this malicious CHM is only detected by 10/60 vendors on VirusTotal.

The malicious CHM's HTML below will attach an object to a button that when clicked will launch the PowerShell command. It then adds a small javascript call to automatically click that button when the html is viewed in the Microsoft HTML Help program. 

Source of Malicious CHM File
Source of Malicious CHM File

The above PowerShell command will connect to the listed remote URL and execute the PowerShell script that the site responds with. This remote script can be seen below.

Remote PowerShell Script
Remote PowerShell Script

The above PowerShell script will begin to download a variety of files into the C:\ProgramData\paladium folder and configure them to automatically run through scheduled tasks and startup folder entries.

Paladium Folder
Paladium Folder

The scheduled task is used to launch malicious CHM files every hour and a half in order to update the package of files that are downloaded and make sure the malicious processes are executed.

Scheduled Task
Scheduled Task

Using this method, updated software can be downloaded, new malware can be installed, and the banking Trojans can continue to stay persistent.

Be cautious when opening any strange emails

As you can see, malware distributors are using innovative and uncommon methods to distribute malware and bypass AV protection. Users need to be diligent and always suspicious of strange emails, links that download files, and strange file formats being downloaded.

To protect yourself from these types of attacks, I always suggest you follow these guidelines:

  1. Make sure you have an up-to-date antivirus or security solution installed.
  2. If you receive an unexpected email from with a link or attachment, send the sender a text or call them to make sure it was in fact them who sent it.
  3. By default, Windows does not enable the displaying of file extensions. This allows malware distributors to send attachments that contain icons that pretend to be a common file format such as a PDF. Everyone should enable the viewing of extensions.
  4. If an email contains an attachment or prompt you to download a file, before you open it you should scan it using a service like VirusTotal.