Last Updated: 2020-05-03 11:10:41 UTC
by Didier Stevens (Version: 1)
A comment on my diary entry "MALWARE Bazaar" mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples).
When you download a sample from MALWARE Bazaar, it is stored in a password protected ZIP file. As mentioned on the download page, the password is infected.
But you can still have issues when extracting the sample, because AES is used as encryption method. Not all ZIP utilities support AES as encryption method, and so you'll have to use a utility that not only supports ZipCrypto, but also AES.
Python's module zipfile does not support AES, only ZipCrypto. So many of my analysis tools (oledump, pdf tools, ...) that can analyse samples inside a password protected ZIP file, will not work directly with MALWARE Bazaar samples.
When pyzipper is installed, my zipdump.py tool will use it in stead of zipfile, and thus provide AES encryption support. If it is not installed, it will use built-in module zipfile.
I will gradually update my other tools using zipfile, to include support for pyzipper.