Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files.
According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine
using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file.
The activity is associated with UNC1151, according to CERT-UA.
Recursively scans files and archives to detect embedded EXE files (with an MZ header).
According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an
attack that used this technique to the "special services of the Russian Federation".
The spear-phishing operation urged recipients to download a RAR archive included in the
email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe)
that tried to pass as a PDF file.