 Hello, DDS Stevens here, Senior Handler at the Internet Storm Center. Last week, Reader Henry submitted a malicious email attachment, a zip file that contains an HTML fish and I do the analysis here in this diary entry of last weekend. Now, there was also something special of that zip file and that's something I covered in a second diary entry of that weekend and that is that the file name of the HTML file is malformed, namely that it contains a carrier's return new line and this is something that maybe was done to make analysis detection more difficult. So for example, email scanners might have issues scanning a file which have special control characters in the file name like a catch return or a new line. Now, for my zip utility, that is not an issue. If you're just run zip dump on the zip file, the only thing here that happens is that this line here for this file is spread over two lines. So we first have an I.pmg file and then we have a myfx and so on.html file. So two files, but here we don't have one line per file, but because of the carrier's return new line, two files, but that doesn't hamper analysis. You can just select that file, for example, and for example, do an ASCII dump. No problem. Now, if you want to see exactly how the name is, what the special characters are, then you can use an option in my zip dump tool, option find, which will list all the zip records, the binary zip records that make up the binary structure of a zip file. So find and say that we want a listing. And then here you have five zip records. And here you can indeed see the name with the carrier's return new line here. So these are not printed as control characters, but they are escaped. Now, why do we have two entries? I mean, twice IP and G and twice myfx. Well, that's the structure of a zip file. So you have entries that have the file with the compressed file content itself. And then you have directory listing. So it's not a file directory. A file system directory is a directory into the zip file. And there the name is repeated, and then you have an end record. So with that option here, find and produce a listing. You can see special characters in file names with my zip dump tool. And like I showed, if you open this with seven zip, for example, then there is no issue. You can just see the file. While if you open this with Windows Explorer itself, the zip utility of Windows Explorer itself, then it only sees the PNG file, HTML file cannot be seen. And yeah, different utilities handle this differently. Like I posted in this diary entry here, for example, the latest winzip itself will give you a warning at something, an invalid file name. And then when you click away that warning, then IPNG is listed and not the HTML file. So various zip archive utilities handle this differently. And the actors who did this should actually have an ID where this will end up for the trick with control characters to work properly.