Keypoints
- Attackers embed malware inside concatenated ZIP files so portions of the archive are visible only to certain ZIP readers.
- Different archive tools—7zip, WinRAR, and Windows File Explorer—handle concatenated ZIPs differently, causing inconsistent exposure of hidden payloads.
- A real phishing campaign delivered a concatenated ZIP disguised as SHIPPING_INV_PL_BL_pdf.rar containing an AutoIt-based trojan named SHIPPING_INV_PL_BL_pdf.exe.
- 7zip displays only the benign first archive and shows a dismissible warning (“There are some data after the end of the archive”), while WinRAR and Windows Explorer reveal the malicious second archive.
- Perception Point reported the behavior to 7zip developers, who confirmed the handling is intentional and unlikely to change.
- Perception Point’s Recursive Unpacker detects concatenation, extracts every nested layer, and subjects contents to dynamic analysis to uncover evasive malware like SmokeLoader.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Phishing email used to deliver the concatenated archive as an attachment (‘The attack began with a phishing email…contained a file named SHIPPING_INV_PL_BL_pdf.rar as an attachment.’).
- [T1027] Obfuscated Files or Information – Concatenated ZIPs hide malicious payloads in parts of the archive that some readers do not parse (‘Threat actors utilize ZIP file concatenation to hide malicious payloads within seemingly benign files.’).
- [T1204.002] User Execution: Malicious File – The attack relies on the recipient extracting and executing an executable delivered inside the archive (‘…including the malicious executable SHIPPING_INV_PL_BL_pdf.exe, which is designed to run and execute the malware.’).
- [T1059] Command and Scripting Interpreter – The trojan uses the AutoIt scripting language to automate malicious actions (‘a variant of a trojan malware family that leverages the AutoIt scripting language to execute a range of malicious activities.’).
- [T1105] Ingress Tool Transfer – The trojan is designed to download and execute additional payloads after initial delivery (‘designed to automate malicious tasks such as downloading and executing additional payloads’).
Indicators of Compromise
- [File Name] Malicious attachment and executable – SHIPPING_INV_PL_BL_pdf.rar (attachment disguised as RAR), SHIPPING_INV_PL_BL_pdf.exe (malicious executable)
- [File Hash] Malware sample – a39ab913f09a4471b937fa942d7deca08bed75d78ae45587893dd3ea182784dd (VirusTotal reference)
- [Domain] Analysis and reporting sources – perception-point.io, www.virustotal.com
Threat actors have increasingly turned to a deceptively simple but effective technique: concatenating ZIP archives to conceal malware. By appending one ZIP file to another, attackers create a single file that actually contains multiple central directories, and different archive readers can choose different central directories to index. This mismatch lets an attacker place benign files where one tool will look but hide malware in the portion another tool might reveal, enabling delivery that slips past some automated scanners and confuses analysts relying on different tools.
To appreciate why this works, it helps to understand ZIP internals at a high level. A ZIP archive contains file entries (the compressed files and their metadata), a central directory at the end that lists those entries and their offsets, and an End of Central Directory (EOCD) record that marks the directory’s conclusion and provides metadata such as the total number of entries. Because readers typically use the central directory and EOCD to find files quickly, appending a second archive effectively creates two competing directories; whichever directory a particular reader honors will determine which files are visible.
Attackers exploit this behavior by creating two separate ZIPs—one containing a benign-looking document and another carrying a malicious executable—and concatenating them into a single file. For example, an attacker could build pt1.zip with a harmless file and pt2.zip with a malicious file, then concatenate them into combined.zip so that some tools index only pt1.zip while others index pt2.zip. In practice, many researchers reproduced this tactic with commands that create and then cat two archives into a combined file, and the results demonstrate how the same combined file appears differently across tools.
Three common archive handlers illustrate the variability. When opening a concatenated archive with 7zip (tested with version 22.01), the tool typically shows only the contents of the first archive and issues a warning such as “There are some data after the end of the archive,” which many users may ignore. WinRAR (tested with version 7.01) commonly reads the second central directory and thus exposes the malicious files hidden there. Windows File Explorer can either fail to open such files or, if tricked by a renamed extension, show the second archive’s contents. These divergent behaviors create a detection gap: security solutions or analysts that rely on a single handler may miss the malicious payload entirely.
Perception Point documented a real-world use of this evasion method in a phishing campaign. The attackers sent a spearphishing email posing as a shipping company and attached a file named SHIPPING_INV_PL_BL_pdf.rar. Though the attachment used a .rar extension to encourage trust and disguise its nature, it was actually a concatenated ZIP. Opening the file with 7zip presented only a benign PDF (x.pdf) and an easily overlooked warning, while WinRAR and Windows File Explorer exposed an executable named SHIPPING_INV_PL_BL_pdf.exe. That executable was submitted to VirusTotal and identified as a trojan variant that uses the AutoIt scripting language. The trojan automates malicious actions, including downloading and executing additional payloads, which can include loaders such as SmokeLoader or other malware families.
Perception Point researchers reached out to the 7zip developers to report the behavior. The developer confirmed that the observed handling of concatenated ZIP files is intentional and not a programming bug, so the behavior is unlikely to be changed, leaving the technique viable for attackers who tailor deliveries to target users of specific archive tools.
To close this detection gap, Perception Point developed a Recursive Unpacker designed to detect concatenated or malformed archives and then extract every nested layer recursively. Rather than relying on a single central directory, the Recursive Unpacker parses and extracts each archive layer to reveal any payloads hidden by concatenation. Extracted contents are then submitted to dynamic analysis, which can detect loaders and other evasive malware behaviors that static inspection might miss. The company’s X-Ray UI visualizes the full attack path for cases such as SmokeLoader, showing how a seemingly innocuous attachment can lead to a staged infection chain.
This evasion technique highlights the importance of multi-layered unpacking and analysis when inspecting archives received via email or other channels. Relying on a single archive handler or trusting file extensions can leave organizations exposed to payloads hidden by concatenation; recursive extraction and dynamic behavior analysis reduce that risk by ensuring all embedded content is inspected thoroughly.
Read more: https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users