{
	"id": "7a7b4256-2655-474b-b83c-ed65d322023a",
	"created_at": "2026-04-06T00:20:00.005893Z",
	"updated_at": "2026-04-10T03:22:09.207165Z",
	"deleted_at": null,
	"sha1_hash": "5ac97f07a0179d4a55e341ebbb97e79a8ff42c81",
	"title": "A 'Zip Bomb' to Bypass Security Controls \u0026 Sandboxes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 239610,
	"plain_text": "A 'Zip Bomb' to Bypass Security Controls \u0026 Sandboxes\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 14:18:34 UTC\r\nYesterday, I analyzed a malicious archive for a customer. It was delivered to the mailbox of a user who, hopefully,\r\nwas security-aware and reported it. The payload passed through the different security layers based on big players\r\non the market!\r\nThe file is a zip archive (SHA256:97f205b8b000922006c32c9f805206c752b0a7d6280b6bcfe8b60d52f3a1bb5f)\r\nand has a score of 6/58 on VT[1]. The archive contains an ISO file that, once mounted, discloses a classic PE file.\r\nBut let's have a look at the file:\r\nremnux@remnux:/MalwareZoo/20220519$ zipdump.py Order-801273.zip\r\nIndex Filename Encrypted Timestamp\r\n 1 Order-801273.img 0 2022-05-16 13:32:08\r\nremnux@remnux:/MalwareZoo/20220519$ zipdump.py Order-801273.zip -s 1 -d \u003eOrder-801273.img\r\nremnux@remnux:/MalwareZoo/20220519$ file Order-801273.img\r\nOrder-801273.img: ISO 9660 CD-ROM filesystem data 'DESKTOP'\r\nremnux@remnux:/MalwareZoo/20220519$ sudo mount -o loop Order-801273.img /mnt/iso\r\nmount: /mnt/iso: WARNING: device write-protected, mounted read-only.\r\nremnux@remnux:/MalwareZoo/20220519$ ls /mnt/iso\r\nOrder-801273.exe\r\nremnux@remnux:/MalwareZoo/20220519$ cp /mnt/iso/Order-801273.exe .\r\nremnux@remnux:/MalwareZoo/20220519$ ls -l Order*\r\n-r-xr-xr-x 1 remnux remnux 419430400 May 20 00:34 Order-801273.exe\r\n-rw-r--r-- 1 remnux remnux 419495936 May 20 00:30 Order-801273.img\r\n-rw-r--r-- 1 remnux remnux 2017165 May 20 00:28 Order-801273.zip\r\nCheck carefully the size of the different files. The ZIP archive is 2M but the PE file is much bigger: 400MB! Do\r\nyou remember the \"Zip Bomb\"[2]? A malicious very small archive that, once decompressed, is very big and\r\nconsumes a lot of resources to be unpacked.\r\nLet’s start the analysis of the PE file using static analysis techniques. My favorite tool to start investigations is\r\nPEstudio[3]. It reports something suspicious:\r\nhttps://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/\r\nPage 1 of 4\n\nYou can see (highlighted in red) that the file has an \"overlay\" that uses 99% of the file size! And the first bytes are\r\nall zeroes. This overlay starts at offset 0x1B9C00. Let's confirm this:\r\nremnux@remnux:/MalwareZoo/20220519$ xxd -s 1809408 Order-801273.exe |more\r\n001b9c00: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9c10: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9c20: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9c30: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9c40: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9c50: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9c60: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9c70: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9c80: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9c90: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9ca0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9cb0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9cc0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9cd0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9ce0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9cf0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9d00: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9d10: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9d20: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9d30: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9d40: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9d50: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9d60: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n001b9d70: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\nMicrosoft Windows is very permissive regarding data appended to files. For example, it's common to see Word\r\ndocuments containing a macro that extracts a payload located at the end of the file. Here, the PE file has been\r\nhttps://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/\r\nPage 2 of 4\n\naltered by appending a lot of zeroes to the code. That's the reason why the archive is small. Packing zeroes is very\r\nefficient and produces a small file. Let's try this:\r\nremnux@remnux:/MalwareZoo/20220519$ dd if=/dev/zero of=zero.tmp count=10000000\r\nremnux@remnux:/MalwareZoo/20220519$ zip zero.zip zero.tmp\r\nremnux@remnux:/MalwareZoo/20220519$ ls -l zero.*\r\n-rw-rw-r-- 1 remnux remnux 5120000000 May 19 16:06 zero.tmp\r\n-rw-rw-r-- 1 remnux remnux 4969094 May 19 16:07 zero.zip\r\nLet's get rid of the overlay to produce a new PE with a \"normal\" size:\r\nremnux@remnux:/MalwareZoo/20220519$ dd if=Order-801273.exe of=Order-801273.exe.stripped count=1809408\r\n1809408+0 records in\r\n1809408+0 records out\r\n1809408 bytes (1.8 MB, 1.7 MiB) copied, 2.31218 s, 783 kB/s\r\nremnux@remnux:/MalwareZoo/20220519$ ls -l Order-801273.exe.stripped\r\n-rw-r--r-- 1 remnux remnux 1809408 May 20 01:01 Order-801273.exe.stripped\r\nremnux@remnux:/MalwareZoo/20220519$ file Order-801273.exe.stripped\r\nOrder-801273.exe.stripped: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nNow, the file can be analyzed successfully. This is a very nice technique to bypass many security controls. Indeed,\r\nfor performance reasons, big files are often skipped or can generate timeouts due to the huge amount of data to\r\nanalyze.\r\nBy the way, the PE file is a bitrat sample using the following configuration:\r\n{\r\n \"family\": \"bitrat\",\r\n \"rule\": \"Bitrat\",\r\n \"c2\": [\r\n \"kot-pandora[.]duckdns[.]org:24993\"\r\n ],\r\n \"version\": \"1.38\",\r\n \"attr\": {\r\n \"tor_process\": \"tor\",\r\n \"communication_password\": \"d6723e7cd6735df68d1ce4c704c29a04\"\r\n }\r\n}\r\n[1] https://www.virustotal.com/gui/file/97f205b8b000922006c32c9f805206c752b0a7d6280b6bcfe8b60d52f3a1bb5f\r\n[2] https://en.wikipedia.org/wiki/Zip_bomb\r\n[3] https://www.winitor.com\r\nXavier Mertens (@xme)\r\nXameco\r\nhttps://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/\r\nPage 3 of 4\n\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/\r\nhttps://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/"
	],
	"report_names": [
		"28670"
	],
	"threat_actors": [],
	"ts_created_at": 1775434800,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ac97f07a0179d4a55e341ebbb97e79a8ff42c81.pdf",
		"text": "https://archive.orkl.eu/5ac97f07a0179d4a55e341ebbb97e79a8ff42c81.txt",
		"img": "https://archive.orkl.eu/5ac97f07a0179d4a55e341ebbb97e79a8ff42c81.jpg"
	}
}