Windows help files are an invaluable tool for those trying to understand what just went wrong, but for attackers they can plant some serious malware within a simple .hlp file.
There is one file called Amministrazione.hlp (Italian for “administration”) and once it executes, it drops a couple of additional elements: Windows Security Center.exe and RECYCLER.DLL, said researchers at Sophos.
The dynamic library file is actually a keylogger part of the DarkShell Trojan.
The malicious element records every keystroke, stores the information in a file, and then sends it back to a remote server.
So, even an innocent-looking files that come via unsolicited emails can actually hide a dangerous piece of malware.