ZIP With Comment

Published: 2016-11-21
Last Updated: 2016-11-22 19:51:51 UTC
by Didier Stevens (Version: 1)
14 comment(s)

I got hold of a malicious document e-mailed inside a password protected ZIP file.

This time I'm not going to write about the maldoc, but about the ZIP file. The password for the ZIP file was mentioned with instructions in the e-mail spammed to many recipients. Obviously this is done in an attempt to bypass detection by e-mail scanners, but with the hope that the recipients would follow the instructions and provide the password when the ZIP application asks for it.

Now I'm coming to the point: this ZIP file also contained a comment that mentioned the password:

And I hope you can help me with my question: what Windows application does display the ZIP comment by default when a ZIP file is opened?

I tried Windows Explorer, WinZip and 7-Zip, but without success.

If you have an idea, please post a comment.

Update: WinRAR displays comments by default.

Didier Stevens
Microsoft MVP Consumer Security

Keywords: comment ZIP
14 comment(s)


7-zip displays the column by default...just have to scroll to the right in order to see it.
Thanks for the quick response. Unfortunately 7-Zip doesn't display the comment for this ZIP file.
I think it's because you are referring to a comment associated with the embedded file, while in this sample it is a comment associated with the ZIP archive, not with a particular file inside the ZIP file.
It does appear to be viewable in 7zip, but you have to access the "info" option at the top.
WinZIP and WinRAR have user-configurable settings for whether to display archive-level comments at file opening.

In WinZip 21.0, Settings -> WinZip Options -> Advanced -> File Handling -> Show comments when opening Zip files

In WinRAR 5.31, Settings -> General -> Show archive comment
Thanks, but what application does this *by default*?
By default Winrar shows archive comments in a window on the right hand side.
[quote=comment#38333]Thanks, but what application does this *by default*?[/quote]

winrar does.
I think peazip will show this information by default.
Maybe none.
Could it just be an artefact from the malware generation process?
Thanks for the suggestions all. I'll test them with the sample.

Diary Archives