Add support for CHM files

[randomaccess3]

Very low prio request but would be cool to be able to flag CHM files that contain executable file formats

Example of malicious use case: https://www.docguard.io/microsoft-compiled-html-help-chm-using-in-spearphishing-attack/

More research required to identify exactly how to implement the hunt (or whether YARA would find it regardless of compression etc)

[mgreen27]

A few more links: https://docs.fileformat.com/web/chm/ https://pkg.go.dev/github.com/microsoft/go-winio/wim/lzx https://learn.microsoft.com/en-us/previous-versions/windows/desktop/htmlhelp/to-decompile-a-compiled-help-file-from-the-command-line

[randomaccess3]

Workaround for now would be: Collect all CHM files and then use HH.exe to decompile them and scan offline