The interesting part, the PNG image file (or what ever image format) is still valid and can be viewed as normal if user did not rename it into .HTA extension. In worst cases, all the script can be obfuscate to make it more undetectable from antivirus software or at least user can't see there is a script in it.
Most antivirus company should update their heuristic detection to detect this from future threat but I guess this issue is not new to the user for years and its not only image file format can do that. It could be all type of file format by just rename it to .HTA extension to execute the embedded script.
It seem none of antivirus detecting it as I got report from VirusTotal >> http://ly.my/lq