AgentTesla Spreads Through CHM and PDF Files in Recent Attacks

Recent Attacks showcase AgentTesla spreading via CHM and PDF Files

Key Takeaways

  • This analysis emphasizes an interesting infection pathway to disseminate AgentTesla, a well-known malware strain.
  • The infection is initiated via a spam email containing a CHM file, which, upon execution, fetches a PowerShell script to start the AgentTesla infection on the victim’s system.
  • The PowerShell script employs encoded binary strings as camouflage for malicious code.
  • The malicious PowerShell script further drops a loader DLL file built on the .NET framework, which injects the AgentTesla payload into system executables.
  • In another campaign, a PDF file is employed to entice unsuspecting users into downloading a PPAM file, resulting in AgentTesla malware infection.


AgentTesla is an information stealer built on the .NET framework, designed to infiltrate computers and surreptitiously extract sensitive information from the victim’s machine. It initially appeared in 2014, and since then, it has been continuously evolving and spreading worldwide. Its primary objective is to harvest victim credentials and personal data. Furthermore, AgentTesla possesses functionalities such as keylogging, capturing clipboard data, accessing the file system, and transferring data to a Command and Control (C&C) server.

AgentTesla typically enters a system through spam emails that include attachments with file extensions like .doc, .xls, and .ppt. These attachments often contain macros, which, when executed, facilitate the installation of the AgentTesla malware onto the victim’s system. Recently, CRIL also identified and authored an analysis that AgentTesla malware reaches users with malicious control panel files.

On October 4, 2023, CRIL encountered a malicious Gzip compressed file within VirusTotal (VT). This Gzip file contained a CHM file that triggered the initiation of the AgentTesla infection.

AgentTesla malware’s distribution through the CHM file was identified by researchers @JAMESWT_MHT in September 2022 and subsequently by @smica83 in December 2022. In previous campaigns, the CHM file downloaded the PowerShell scripts, containing loader DLL and AgentTesla as obfuscated binary strings. Finally, AgentTesla is injected into RegAsm.exe.

In the most recent campaign, CRIL identified a CHM file that has been compressed using Gzip and is highly likely delivered using malicious spam email. The crafted CHM file acts as a lure. It appears to be targeting individuals or entities involved in network engineering, telecommunications, or information technology based on the content available in the CHM file, as shown in Figure 1.

When the user opens this CHM file, it covertly downloads a PowerShell script from the remote server and executes it. To avoid detection, the PowerShell script is Base64-encoded and Deflated. This deflated Base64-encoded string, in turn, contains another layer of Base64 encoding, which further contains a loader DLL file. The DLL file serves as a loader responsible for loading AgentTesla malware found within one of the resources found within the file.

Figure 1 – Malicious CHM File

We have also observed another campaign using PDF files to distribute AgentTesla Malware. This PDF employs two distinct methods to disseminate the malware. In the first method, the PDF triggers a PowerShell command to load the AgentTesla malware. The second method displays a fake message when the PDF is opened, leading to the download of a PPAM file when users click on the “Reload” button. This PPAM file is responsible for executing PowerShell commands that, in turn, download the AgentTesla malware.

AgentTesla Spreading Via CHM files:

The figure below shows the overall infection chain of the AgentTesla Campaign.

Figure 2 – AgentTesla Infection Chain

The initial phase of the infection process commences with a malicious spam email, which delivers a Gzip-compressed file named “PO-9596996.gz” with a SHA256 hash value of 5df434b86519a9cda49dacc6dd625d8b8fc70c1479004669ed09b35d37816fce. Within this Gzip archive, there is an embedded CHM file named “PO-9596996.chm”, with a SHA256 hash value of 00dc35f39503924bff98f40ac52100ab2882ed22cdf8a3e4a9ec2f1797736aaa.

Upon execution, the CHM file runs a PowerShell command, which downloads a PowerShell script named “nm.txt” from a server and subsequently executes it, as shown below.

Figure 3 – PowerShell command to download another PowerShell Script

The PowerShell script “nn.txt” comprises a string that has been encoded using Base64 and subsequently deflated. The figure below shows the contents of the “nn.txt”.

Figure 4 – Contents of the “nn.txt” File

During the execution of the PowerShell script, the Base64 encoded string is decoded and then inflated, revealing another Base64-encoded string, which is actually a malicious Dynamic Link Library (DLL). The PowerShell script further handles the loading of this decoded DLL, which is stored in the “A” variable, followed by the creation of an instance of class “B,” defined in the DLL file.

The figure below shows the second base64-encoded string.

Figure 5 – Second Base64 Encoded String

The decoded DLL is named Hur.dll and has a sha256 value of 6555ac945d8010dc3e77d037298fffaf506826bb0ecaa12880de18ad04435b7f. Within the resource section of the Hur.dll file, encrypted data is present, which is loaded and injected by the Hur.dll.

To encrypt the data, a key, represented as “1A,” was added to the byte values. By subtracting this key, the final AgentTesla binary was successfully derived. Upon decryption, it reveals the presence of AgentTesla malware. The figure below shows the decrypted data.

Figure 6 – Encrypted Data in Resource Section & Decrypted AgentTesla Payload

The figure below shows the decrypted AgentTesla Malware, which calls several APIs for various malicious purposes.

Figure 7 – Decrypted AgentTesla Final Payload

AgentTesla Spreading via PDF files:

In addition to the CHM campaign, on September 8, 2023, we also observed another campaign in VirusTotal that employs a PDF file to entice unsuspecting users into downloading AgentTesla Malware. Notably, this PDF file employs two distinct methods to deliver malicious files to the victim’s machine.

Upon execution, the PDF file initiates the execution of JavaScript, which subsequently triggers a malicious PowerShell script hosted at “”  The figure below shows the JavaScript code responsible for executing the remote PowerShell code.

Figure 8 – Two URLs Embedded in the PDF File

Parallely, the pdf file opens a fake message, stating, “Pdf reader not supported! Reload to Download pdf!” Following this pop-up, the main PDF document loads but displays an error message, as shown in the figure below.

Figure 9 – PDF Document Showing Error Message

When the user clicks on the Reload button, it triggers a redirection to the website “hxxps://booking-comdetails[.]blogspot[.]com/.” During our analysis, the website was inaccessible, but it had previously hosted a PPAM file named “lnvoice_1332936990 (1).ppam (copy).”  

The PPAM file does not contain any PPT file but only the VBA macro, which contains code to download and execute the PowerShell script from the previously mentioned URL “htlbook.blogspot[.]com/atom.xml”. The figure below shows the macro code.

Figure 10 – Obfuscated VBA Code

The latter stages of the infection technique, as executed by the downloaded PowerShell, bear a strong resemblance to the methods outlined in our earlier AgentTesla analysis.


This analysis uncovers a resourceful approach used by AgentTesla malware to proliferate. Through its continual adaptation, AgentTesla enhances its ability to elude detection, establishing itself as an enduring menace to both organizations and individuals.

AgentTesla’s primary objective is the pilfering of sensitive data, and its tactical shifts sustain its significant threat to organizations, enabling it to persistently access valuable information. Its flexibility permits the exploitation of various attack vectors, such as email attachments, malicious links, and document-based infiltrations, rendering it a versatile adversary. The ceaseless evolution of its tactics poses a formidable challenge in eradication, compelling security systems and researchers to perpetually adjust their countermeasures.

Our Recommendations 

  • Implement strong email filtering solutions to detect and block spam emails, phishing attempts, and malicious attachments.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • Use a reputed antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 

MITRE ATT&CK® Techniques 

Tactic Technique Procedure 
Initial Access (TA0001)Phishing (T1566.001)TAs send phishing emails with malicious Attachments
Execution  (TA0002)User Execution (T1203)User opens the malicious attachments
Execution  (TA0002)Command and Scripting
Interpreter (T1059.001)
PowerShell commands are used to download and execute additional payloads on the system
Persistence (TA0003)Registry Run Keys /
Startup Folder (T1547.001)
Malware adding a run entry/Startup for persistence.
Defense Evasion (TA0005)Masquerading  (T1036.006)PowerShell script is masquerading as text file
Collection (TA0009)Data from Local System
The malware collects sensitive data from
victim’s system.
Command and Control (TA0011)Application Layer Protocol : Web Protocols (T1437.001)Communicated with C&C server using HTTP
Exfiltration (TA0010)Exfiltration Over C2 Channel (T1041)Exfiltration Over C2 Channel

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDetails
a4de9d739162b9840c6cfd684ea8d791 bb43ced4c734844119ebeffba5ff960692061e0b a56f11445182406c82a5448a978ab72faf540591e94dbecbb13237413e687bd4MD5 SHA1 SHA256Malicious CHM
c7ebda0095926643110fc359e747ffb3 c59402e8f69f25cf89d10df772796671ed96da2a d0c65ad64661320b438d940cb46019a3a282d4b5040d593bcbb5c21616116813MD5 SHA1 SHA256Malicious CHM
6665f9392350bfa49a2cdee6afcc297b 358e396e8291d6d92691c60791f474573a8adc18 00dc35f39503924bff98f40ac52100ab2882ed22cdf8a3e4a9ec2f1797736aaaMD5 SHA1 SHA256Malicious CHM
0bcc3c271ee55c5da266c8bbc22f3208 9f71ed6953196b2c1e70bb86df3c9773567c0bea dcdc5377b6fa7bf42731c95f23b04072123053910b120da943ba183fbc511665MD5 SHA1 SHA256Malicious CHM
cf87fd3ac04ab84401009808e0c1662a 78f25cc19b474922c372552fa5fc2ea4a1c5a01b f34400e75903275789e15209840fe4d425744ad7ffe8e7c86f5545bb5bfdff72MD5 SHA1 SHA256Malicious CHM
0431f491949e0462e1eb13bf4f3b2191 1d1b203bba63b1393a45f4ed5c3fccaf222b2aa2 da0ff5afc0fe3bb6fd769c501c4e5c07820f411005565c53b80f41c6bd679f72MD5 SHA1 SHA256Malicious CHM
82.115.209[.]180IPMalicious IP
htlbook.blogspot[.]com/atom[.]xmlDominMalicious Domain
hxxps://booking-comdetails.blogspot[.]com/DomainMalicious Domain
0cadf56216e663ff2a8f3882ed0fb681 1cc259aa315090a50237144dc0926be0abea4190 92533be6c7fdd0cb591fa4a9d760b49f441703545404f5ce780403092056341fMD5 SHA1 SHA256lnvoice_1332936990.pdf
3a8ac8048d42bcd3b15c44b2836cc634 ec52ae1ec9e84a57d346425e12d9582efa75ad55 118a2cbcf9272be3651fd0781da7e609e6b5972a341a187f1a20d7269b2a6dc6MD5 SHA1 SHA256\lnvoice_1332936990 (1).ppam (copy)

Scroll to Top