title: Compiled HTML File (T1218.001)
id: df00tech-t1218-001
status: experimental
description: "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system and are compressed compilations of HTML documents, images, and scripting languages such as VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application control on older and/or unpatched systems. Groups known to abuse CHM files include OilRig, Dark Caracal, Silence, APT41, and APT38."
references:
  - https://attack.mitre.org/techniques/T1218/001/
  - https://df00tech.com/detections/T1218.001
author: df00tech
date: 2026/04/19
tags:
  - attack.t1218.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Windows Help files (.chm) launched by system utilities or software installers
  - IT documentation tools that package help content as CHM files and open them via hh.exe
  - Software development environments opening SDK or API documentation in CHM format
  - Help desk software that renders CHM-based knowledge bases
level: high