Signed Binary Proxy Execution: Compiled HTML File

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. [1] CHM content is displayed using underlying components of the Internet Explorer browser [2] loaded by the HTML Help executable program (hh.exe). [3]

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. [4] [5]

ID: T1218.001
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: User
Data Sources: Command: Command Execution, File: File Creation, Process: Process Creation
Defense Bypassed: Application control, Digital Certificate Validation
Contributors: Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
Version: 1.0
Created: 23 January 2020
Last Modified: 20 June 2020

Procedure Examples

ID Name Description
G0096 APT41

APT41 used compiled HTML (.chm) files for targeting.[6]

S0373 Astaroth

Astaroth uses ActiveX objects for file execution and manipulation. [7]

G0070 Dark Caracal

Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.[8]

G0032 Lazarus Group

Lazarus Group has used CHM files to move concealed payloads.[9]

G0049 OilRig

OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.[10]

G0091 Silence

Silence has weaponized CHM files in their phishing campaigns.[11][12][13][14]


ID Mitigation Description
M1038 Execution Prevention

Consider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

M1021 Restrict Web-Based Content

Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files


Monitor and analyze the execution and arguments of hh.exe. [4] Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.

Monitor presence and use of CHM files, especially if they are not typically used within an environment.