file suspicious.zip
Get-Content .\suspicious.zip -Encoding Byte -TotalCount 16 | Format-Hex
Expected header:
50 4B 03 04
Confirm:
- true ZIP
- renamed file
- malformed archive
- polyglot archive
Enumerate (No Extraction)
Linux
zipinfo suspicious.zip
unzip -l suspicious.zip
Windows
tar -tf suspicious.zip
7z l suspicious.zip
Check:
- file count
- filenames
- timestamps
- compressed vs uncompressed size
Red flags:
- double extensions
- random names
- hidden payload naming
- suspicious compression ratio
Metadata
zipinfo -v suspicious.zip
Look for:
- uniform timestamps
- extreme compression
- encrypted entries
- abnormal file count
Extract Safely
mkdir out
unzip suspicious.zip -d out
Expand-Archive suspicious.zip -DestinationPath .\out
7z x suspicious.zip -oout
Always extract into isolated folder.
Hunt
strings suspicious.zip
Look for:
- URLs
- powershell
- cmd
- base64
- suspicious filenames
Validate Contents
find out -type f
Get-ChildItem .\out -Recurse
Hash Extracted Files
Get-FileHash .\out\* -Algorithm SHA256
Magic Bytes
Format-Hex extracted.bin -Count 16
Expected:
| Type | Header |
|---|---|
| ZIP | 50 4B |
| 25 50 44 46 | |
| EXE | 4D 5A |
Never trust extension.
Password Protection
7z l suspicious.zip
Look for:
Encrypted = +
Important because password-protected ZIPs often bypass mail scanning.
Suspicious ZIP Indicators
- encrypted archive
- high compression ratio
- single suspicious payload
- uniform timestamps
- nested archive
- misleading filename
Safe Workflow
file -> zipinfo -> unzip -l -> extract isolated -> hash -> magic bytes