Zero-Day Attack Exploits Corrupted Files to Evade Advanced Security Tools


Cybersecurity experts at ANY.RUN have uncovered an active zero-day attack campaign that leverages corrupted files to bypass antivirus software, sandbox environments, and even email spam filters.

The attack, first identified by the ANY.RUN team, poses a significant threat by enabling malicious emails to infiltrate inboxes undetected.

Attack Overview

Attackers are exploiting a unique technique by intentionally corrupting files, making them difficult for security solutions to analyze. These files, often identified as ZIP archives or Microsoft Office documents (e.g., DOCX), evade detection by failing to conform to standard file-handling procedures.

“Although these files appear damaged or corrupted, they are fully operational and execute malicious code when opened in their corresponding programs,” the ANY.RUN team said in a statement with Cyber Security News.

In this example, Our sandbox solves this problem thanks to interactivity. It launches these broken files in their corresponding programs, which allows it to identify malicious behavior,” ANY.RUN stated.

Applications such as Microsoft Word, Outlook, and WinRAR have built-in recovery mechanisms that the attackers exploit to execute the payload without triggering alerts.

Traditional antivirus programs and file scanners are unable to detect these malicious files because of a flaw in how they handle corrupted or incomplete data:

  • Antivirus software: Marks such files as “clean” or “Item Not Found” on platforms like VirusTotal, as the files cannot be fully analyzed due to their corrupted nature.
  • Sandbox environments: Fail to identify the threat if they rely solely on automated static analysis methods.
  • Spam filters: Miss the malicious payload because the corrupted files appear benign or incomplete.

When analyzing corrupted files, some security tools attempt to extract contents, assuming these are archives. If no files can be extracted, the scanning process is halted, leaving the archive unexamined.

How the Attack Works

The attack exploits the recovery mechanisms of user applications rather than the limitations of the file itself.

For example:

  • Corrupted ZIP or DOCX files are delivered via email.
  • Security solutions fail to process the file properly, rendering them “invisible” to traditional detection mechanisms.
  • Once opened by the intended application, the built-in recovery features (e.g., Microsoft Word’s ability to repair corrupted documents) activate, facilitating the execution of malicious behavior.

Files of this nature are designed to activate only within their intended programs, bypassing static scanning tools while seamlessly executing in interactive environments.

ANY.RUN’s Innovative Detection Approach

Fortunately, the ANY.RUN interactive sandbox has proven effective in tackling this unique threat. Unlike traditional static analysis tools, the platform engages with the files directly, opening them in their corresponding programs to observe real-time behavior.

This approach enables detection of malicious activity triggered by recovery mechanisms, providing critical insight into the attack.

For example, one sandbox session highlighted malicious behavior from a corrupted file that had bypassed antivirus scanners entirely. See detailed analysis here.

ANY.RUN’s research shows that this attack has been active for several months, with the first observed instances dating back to August 2024.

The campaign appears to be growing in sophistication and scale, targeting organizations and individuals alike. Here you can see Examples of sandbox analyses for such files. You can also find related sandbox sessions using the SHA256 hash in TI Lookup: Sample 1, Sample 2.

Cybersecurity teams are urged to adopt advanced detection tools that incorporate interactive and behavioral analysis for identifying these types of threats.

Reviewing suspicious file activity in sandboxes and applying additional layers of email filtering could help mitigate the risk.For more information on specific SHA256 hashes related to the campaign, visit ANY.RUN’s Threat Intelligence Lookup tool.

As the cybersecurity landscape continues to evolve, vigilance and innovation remain crucial in combating increasingly sophisticated attack techniques.

Get ANY.RUN’s Black Friday offers: Up to 3 licenses as a gift



Source link