Analyzing "Zombie Zip" Files (CVE-2026-0866)

    Published: 2026-03-11. Last Updated: 2026-03-11 09:57:26 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    A new vulnerability (CVE-2026-0866) has been published: Zombie Zip.

    It's a method to create a malformed ZIP file that will bypass detection by most anti-virus engines.

    The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required.

    The trick is to change the compression method to STORED while the contend is still DEFLATED: a flag in the ZIP file header states the content is not compressed, while in reality, the content is compressed.

    I will show you how to use my tools to analyze such a malformed ZIP file.

    Simple Method

    Just run my tool search-for-compression.py on the ZIP file (you can download the Zombie ZIP file here, it contains an EICAR file):

    The largest compression blob is number 2, it is 77 bytes long. Let's select it:

    That's the EICAR file.

    Complex Method

    We can use the latest version of zipdump.py to analyze the file:

    Just using the tool fails (because the zip file is malformed):

    Using option -f to bypass the Python ZIP library for parsing, and using custom code to look for ZIP records (-f l) shows us this is a ZIP file, containing a file with the name eicar.com:

    Selecting the FILE record (at position 0x00000000, PK0304 fil) shows us all the meta data:

    The compressiontype is 0 (STORED), this means that the content of the file is just stored inside the ZIP file, not compressed.

    But notice that the compressedsize and uncompressedsize are different (70 and 68). It should be the same for a STORED file.

    Let's select the raw file content (-s data) and perform an asciidump (-a):

    This does not look like the EICAR file.

    Let's force the decompression of the data: -s forcedecompress:

    This reveals the EICAR file content.

    Option forcedecompress is a new option that I just coded in zipdump.py version 0.0.35. Option decompress will only decompress if the compression type is DEFLATED, thus it can't be used on this malformed ZIP file. Option forcedecompress will always try to decompress (and potentially fail), regardless of the compression type.

     

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)
    ISC Stormcast For Wednesday, March 11th, 2026 https://isc.sans.edu/podcastdetail/9844

      Comments

      Login here to join the discussion.


      Diary Archives