Introducing OPSWAT Threat Intelligence Similarity Search Learn More

Deep CDR Sanitizes Hidden Threats in an archive file

Cybercriminals usually choose archive files to conceal malware and distribute infections. A statistic shows that 37% of detected malicious file extension is an archive, which is quite similar to Office files (38%) but much higher than PDF (14%). It’s understandable because many vulnerabilities have been found in archive applications. Additionally, the file type itself is used to hide malware.

How cybercriminals hide the malware

  • Modify the central directory file header in a zip file: At a high level, the structure of a zip file is quite simple. Each zip file has a central header that stores metadata and a relative offset of the local file header.

    The unzip application reads this central header to find the location of the content and then extracts the data. If the file is not listed in the central header then the application is not able to see that file, and malware can be hidden there.
  • Change a file attribute in the central header: There is an attribute called ExternalFileAttributes that indicates whether the local file is a file or a directory. By changing this attribute, you can trick the 7z into seeing a file as a folder. Below is a normal zip file.

    By modifying a specific byte in the file, 7z sees the new file as a folder.

    You can look inside of the folder as usual; nothing seems to be suspicious.

In the above cases, even though you extract them with 7z, the extracted files are not harmful anymore. For the first case, you will receive file 1 and 2, not the malware file. In the second case, you will receive a folder. Then why are they dangerous? The attackers are smart. They build scenarios to trap their victims. Look at the phishing email hereunder.

The criminals send this email with an attachment containing a zip file and a “decryptor” tool. The tool is for simple tasks such as extracting the zip file regardless of the central header data or turning the directory byte back to file and extracting it. Apparently, with this behavior, the tool is not detected as malware. The extracted malicious file may or may not be detected depending on the anti-malware software you used.

How Deep CDR sanitizes the hidden threats

Deep CDR follows the Zip File Format Specification. It looks at the central header and extracts the file based on this info. The hidden data will not be included in the sanitized file. Also, as an advantage to Deep CDR, the process also recursively sanitizes all children files. As a result, it produces a safe file.

In the second case, Deep CDR changes the file inside into a real folder so what you see is what you get, no hidden data anymore.


Of all the precautions you need to take to protect your organization from cyberattacks, phishing awareness training may be the most important by far. If your staff understand what phishing attacks look like, unlike other forms of cyberattacks, phishing is preventable. However, relying on security training alone is insufficient because humans make mistakes, and your organization will not only confront phishing but also far more advanced cyberattacks. Multi-layer protection helps your organization to be more secure. OPSWAT Multiscanning technology maximizes your malware detection rate, thereby providing a much higher chance to catch malware when files are extracted. Deep CDR ensures files coming into your organization are not harmful. Also, Deep CDR helps to prevent zero-day attacks. Contact us today to understand more about OPSWAT technologies, and learn how to protect your organization comprehensively.


Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.