Skip to content

Corrupt ZIP and DOC files can evade your antivirus and email defences

  • by
  • 2 min read

Security researchers have discovered a new malware campaign that intentionally corrupts ZIP and DOC files to infect target systems. The corrupted files can’t be scanned with security scanning tools and, hence, don’t raise any alarms until the user opens them.

The threat actor takes advantage of the self-recovery feature often found in programs like MS Office or WinRAR. This feature automatically repairs the corrupted file the user tries to open, infecting their PC with malware. The technique has been used since at least August 2024 and has been described as a potential zero-day being actively exploited to evade detection.

Most files were detected as ZIP archives or MS Office files during analysis. Security solutions like VirusTotal attempt to extract the file to scan its contents but disregard the archive itself. Since the detection system doesn’t find any files inside that it can flag, the detection process never starts. This results in the file being cleared by detection software, including antivirus software, online sandboxes that require an upload, or Outlook’s spam filters.

These files are typically used to run phishing campaigns, luring users into opening malicious documents under the guise of employee benefits or bonuses. The documents contain QR codes, which, when scanned, redirect victims to fake websites that deploy malware or phishing pages that steal login credentials.

ANY.RUN, an online sandbox used for malware analysis, takes a deeper, technical look in a Twitter thread at how corrupted files are fixed by MS Office or WinRAR by locating a valid header that contains critical archive information required for file processing to reconstruct and run the file.

In the News: Critical WAF bypass flaw impacts 40% of Fortune 100 companies

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>