{"id":10226,"date":"2024-12-05T10:35:31","date_gmt":"2024-12-05T10:35:31","guid":{"rendered":"\/cybersecurity-blog\/?p=10226"},"modified":"2024-12-17T13:58:00","modified_gmt":"2024-12-17T13:58:00","slug":"corrupted-files-attack","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/","title":{"rendered":"Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis"},"content":{"rendered":"\n<p>Recently, our analyst team <a href=\"https:\/\/x.com\/anyrun_app\/status\/1861024182210900357\" target=\"_blank\" rel=\"noreferrer noopener\">shared their research <\/a>into a <strong>zero-day attack<\/strong> involving the use of corrupted malicious files to bypass static detection systems. Now, we present a technical analysis of this method and its mechanics.&nbsp;<\/p>\n\n\n\n<p>In this article, we will: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Demonstrate how attackers corrupt archives, office documents, and other files&nbsp;<\/li>\n\n\n\n<li>Explain how this method successfully evades detection by security systems&nbsp;<\/li>\n\n\n\n<li>Show how corrupted files get recovered by their native applications&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s get started.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Sandbox Analysis of a Corrupted File&nbsp;Attack<\/h2>\n\n\n\n<p>To first see how such attacks unfold, we can upload one of the corrupted filles used by attackers to <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=corrupted_files&amp;utm_term=051224&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s sandbox<\/a>. &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/f0c1fe95-8165-4015-bb58-d9b38a8e9486\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=corrupted_files&amp;utm_term=051224&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-2-1024x579.png\" alt=\"\" class=\"wp-image-10231\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-2-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-2-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-2-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-2-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-2-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-2-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-2-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-2.png 1841w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis of a corrupted docx file in the ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Thanks to its interactivity, the sandbox lets us simulate a real scenario of user opening the broken malicious file inside the file\u2019s <strong>corresponding application<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"687\" height=\"97\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-2.png\" alt=\"\" class=\"wp-image-10232\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-2.png 687w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-2-300x42.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-2-370x52.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-2-270x38.png 270w\" sizes=\"(max-width: 687px) 100vw, 687px\" \/><figcaption class=\"wp-element-caption\"><em>Word asking to restore a corrupted file<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In our case, it\u2019s a docx file. When we open it with Word, the program immediately offers us the option to <strong>recover the content of the file<\/strong> and successfully does it.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1-1024x579.png\" alt=\"\" class=\"wp-image-10234\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1.png 1841w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN allows you to manually open a broken file with Word<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Inside, we find a <strong>QR code with a phishing link<\/strong>. The sandbox also automatically detects malicious activity and notifies us about this.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze emerging and persistent cyber threats safely\n<br>with <span class=\"highlight\">ANY.RUN&#8217;s Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=corrupted_files&#038;utm_term=051224&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">How Corrupted Files Bypass Antivirus Software and Other Automated Solutions<\/h2>\n\n\n\n<p>Analysis inside the ANY.RUN sandbox showed how a corrupted file gets restored thanks to Word\u2019s <strong>built-in recovery mechanisms<\/strong>, which allows us to identify its malicious nature.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"153\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-2-1024x153.png\" alt=\"\" class=\"wp-image-10235\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-2-1024x153.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-2-300x45.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-2-768x115.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-2-370x55.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-2-270x40.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-2-740x111.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-2.png 1319w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>VirusTotal shows no detections for such corrupted files<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Yet, <a href=\"https:\/\/www.virustotal.com\/gui\/file\/3245ca6c7f9f78e6b8fc0f05e7821e4b4e0d1abf24719d9457a7640f3f447c58?nocache=1\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">if we submit the same corrupted file to VirusTotal<\/a>, which provides verdicts from numerous security solutions, we will see <strong>zero threat detections<\/strong>. The question is why?&nbsp;<\/p>\n\n\n\n<p>The answer is simple: <strong>most antivirus software and automated tools are<\/strong> <strong>not equipped with the recovery functionality<\/strong> that is found in applications, such as Word. This prevents them from accurately identifying the type of the corrupted file, resulting in a <strong>failure to detect and mitigate the threat<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Docx is not the only file format used by attackers. There are also <strong>corrupted archives with malicious files inside<\/strong>, which easily bypass spam filters because security systems cannot view their contents due to corruption. &nbsp;<\/p>\n\n\n\n<p>Once downloaded onto a system, tools like <strong>WinRAR easily restore the damaged archive<\/strong>, making its contents available to the victim.&nbsp;<\/p>\n\n\n\n<p>Now, let\u2019s see how exactly it works on a technical level.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Technical Analysis of a Corrupted Word Document&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">The Structure of a Word Document&nbsp;<\/h3>\n\n\n\n<p>Since the mid-2000s, office documents (OpenOffice.org 2.0 \u2014 released in 2005) have been <strong>structured as archives<\/strong> containing the document&#8217;s content.&nbsp;<\/p>\n\n\n\n<p>In the image below, you can see the structure of a Word document.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"794\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_one-794x1024.png\" alt=\"\" class=\"wp-image-10264\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_one-794x1024.png 794w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_one-233x300.png 233w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_one-768x991.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_one-1190x1536.png 1190w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_one-370x477.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_one-270x348.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_one-740x955.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_one.png 1302w\" sizes=\"(max-width: 794px) 100vw, 794px\" \/><figcaption class=\"wp-element-caption\"><em>Word document structure<\/em> (Figure 1)<\/figcaption><\/figure><\/div>\n\n\n<p>As we can see, all structures within this archive are interconnected, and this relationship <strong>begins from the end<\/strong>.&nbsp;<\/p>\n\n\n\n<p>At the end of the archive, there is a structure called the <strong>End of Central Directory Record<\/strong> (EOCD). This structure contains information about the size of the <strong>Central Directory File Header<\/strong> (CDFH), its offset, and the total number of entries in the archive. This structure helps locate the CDFH.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The CDFH duplicates the data stored in the <strong>Local File Header<\/strong> (LFH) and the offsets to it. Yet, this structure does not contain the compressed data itself but rather represents a hierarchy of files within the archive. This part of the structure allows you to find the <strong>LFH of each file<\/strong> in the archive.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The LFH is considered the <strong>header for each file in the archive<\/strong>. It contains important data such as the file name, compressed and uncompressed sizes, CRC32 checksum, and other parameters.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The compressed data is located after the header.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How the File Structure Can Be Manipulated by Attackers&nbsp;<\/h3>\n\n\n\n<p>As shown in the image above (Figure 1), the archive is structured backward, starting with the end, while all parts are linked together.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This has led us to test <strong>three different hypotheses<\/strong> (Figure 2):&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"892\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_two-892x1024.jpg\" alt=\"\" class=\"wp-image-10265\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_two-892x1024.jpg 892w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_two-261x300.jpg 261w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_two-768x881.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_two-370x425.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_two-270x310.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_two-740x849.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/zeroday_info_two.jpg 1131w\" sizes=\"(max-width: 892px) 100vw, 892px\" \/><figcaption class=\"wp-element-caption\"><em>Three hypotheses we tested<\/em> (Figure 2)<\/figcaption><\/figure><\/div>\n\n\n<p>1. Can Word or an archiving program recover and successfully open a file if <strong>additional data is added to the beginning of the archive?<\/strong>&nbsp;<\/p>\n\n\n\n<p>2. Can Word or an archiving program recover and successfully open a file if we <strong>corrupt the linking between the parts and delete the CDFH<\/strong>, which does not contain the file data itself?&nbsp;&nbsp;<\/p>\n\n\n\n<p>3. Can Word or an archiving program recover and successfully open a file if we <strong>corrupt the linking between the parts and erase the EOCD<\/strong>, which is a crucial part of the recovery process?&nbsp;<\/p>\n\n\n\n<p>You can see the results of our hypothesis testing in the table below.<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-212\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"4\"\n           data-wpID=\"212\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        \u00a0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Word\u00a0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        ZIP\u00a0\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hypothesis 1\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-bc-FFFFFF wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Success\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Fail (the file is no longer an archive)\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hypothesis 2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-bc-FFFFFF wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Success\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Success\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hypothesis 3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-bc-FFFFFF wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Success (thanks to undamaged Local File Headers)\u00a0\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Success (thanks to undamaged Local File Headers)\u00a0\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-212'>\ntable#wpdtSimpleTable-212{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-212 td, table.wpdtSimpleTable212 th { white-space: normal !important; }\n.wpdt-bc-FFFFFF { background-color: #FFFFFF !important;}\n<\/style>\n\n\n\n\n<p>During our hypothesis testing, we\u2019ve made several noteworthy observations:&nbsp;<\/p>\n\n\n\n<p>1. For minimal recovery of a Word document, the following files are essential:&nbsp;<\/p>\n\n\n\n<p><strong>[Content_Types].xml, <\/strong>&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>Word\/document.xml, <\/strong>&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>word\/_rels\/document.xml.rels, <\/strong>&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>_rels\/.rels; <\/strong>&nbsp;&nbsp;<\/p>\n\n\n\n<p>These contain crucial information regarding the relationships between elements and form the standard file hierarchy required for Word to interpret the document.&nbsp;<\/p>\n\n\n\n<p>2. A ZIP archive with corrupted <strong>Local File Headers<\/strong> will only show the file structure. The actual file content will be empty.&nbsp;<\/p>\n\n\n\n<p>3. If the end part of the ZIP file is damaged, the archiving software and Word will attempt to use an alternative recovery method: by <strong>leveraging intact Local File Headers<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Our findings demonstrate that Word is more resilient to file corruption than ZIP. While Word successfully recovered files with corrupted <strong>CDFH, EOCD, and even when random bytes were added to create a non-existent LFH structure<\/strong>, ZIP failed in the first hypothesis, where random bytes were added to the beginning of the file.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Why Security Systems Fail to Read Corrupted Files&nbsp;<\/h3>\n\n\n\n<p>Security systems attempt to identify file types, including by using Magic Bytes in File Headers. In the case of office documents and ZIP archives, because the file effectively starts from the end, we can <strong>corrupt the archive structure and magic bytes<\/strong>, making it difficult for detection systems to identify the file type. &nbsp;<\/p>\n\n\n\n<p>This leads to the inability to unpack and inspect the contents.&nbsp;<\/p>\n\n\n\n<p>Consider <a href=\"https:\/\/app.any.run\/tasks\/c6727312-2309-4ad6-9572-66d034d24008\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=corrupted_files&amp;utm_term=051224&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">this email with a corrupted Word document<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"746\" height=\"372\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-3.png\" alt=\"\" class=\"wp-image-10252\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-3.png 746w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-3-300x150.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-3-370x185.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-3-270x135.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-3-740x369.png 740w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN&#8217;s Sandbox identifies malicious activity<\/em> <em>of the corrupted file<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The sandbox once again has no problem detecting the threat, returning a \u201cmalicious activity\u201d verdict.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"145\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1-1024x145.png\" alt=\"\" class=\"wp-image-10237\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1-1024x145.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1-300x42.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1-768x109.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1-370x52.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1-270x38.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1-740x105.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1.png 1313w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Only one detection in VirusTotal<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>But, when run in VirusTotal, almost zero threat detections come back for this file.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Our study revealed a vulnerability in document and archive structures. By manipulating specific components like the CDFH and EOCD, attackers can create corrupted files that are successfully repaired by applications but remain undetected by security software. As a result, we face a situation when security systems have not yet developed a clear logic for detecting such attacks, exposing the security of their users.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=corrupted_files&amp;utm_term=051224&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds<\/li>\n\n\n\n<li>Interact with samples in real time<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior<\/li>\n\n\n\n<li>Collaborate with your team&nbsp;<\/li>\n\n\n\n<li>Scale as you need<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=emmenhtal&amp;utm_term=091224&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Try ANY.RUN&#8217;s Interactive Sandbox and Threat Intelligence products for free \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently, our analyst team shared their research into a zero-day attack involving the use of corrupted malicious files to bypass static detection systems. Now, we present a technical analysis of this method and its mechanics.&nbsp; In this article, we will: &nbsp; Let\u2019s get started.&nbsp; Sandbox Analysis of a Corrupted File&nbsp;Attack To first see how such [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":10263,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-10226","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Zero-Day: How Attackers Use Corrupted Files to Bypass Detection<\/title>\n<meta name=\"description\" content=\"See technical analysis of a zero-day attack that uses corrupted malicious files to bypass detection by advanced security systems.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"khr0x\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/\"},\"author\":{\"name\":\"khr0x\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis\",\"datePublished\":\"2024-12-05T10:35:31+00:00\",\"dateModified\":\"2024-12-17T13:58:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/\"},\"wordCount\":1326,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/\",\"name\":\"Zero-Day: How Attackers Use Corrupted Files to Bypass Detection\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-12-05T10:35:31+00:00\",\"dateModified\":\"2024-12-17T13:58:00+00:00\",\"description\":\"See technical analysis of a zero-day attack that uses corrupted malicious files to bypass detection by advanced security systems.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"khr0x\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg\",\"caption\":\"khr0x\"},\"description\":\"I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zero-Day: How Attackers Use Corrupted Files to Bypass Detection","description":"See technical analysis of a zero-day attack that uses corrupted malicious files to bypass detection by advanced security systems.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/","twitter_misc":{"Written by":"khr0x","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/"},"author":{"name":"khr0x","@id":"https:\/\/any.run\/"},"headline":"Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis","datePublished":"2024-12-05T10:35:31+00:00","dateModified":"2024-12-17T13:58:00+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/"},"wordCount":1326,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/","url":"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/","name":"Zero-Day: How Attackers Use Corrupted Files to Bypass Detection","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-12-05T10:35:31+00:00","dateModified":"2024-12-17T13:58:00+00:00","description":"See technical analysis of a zero-day attack that uses corrupted malicious files to bypass detection by advanced security systems.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/corrupted-files-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"khr0x","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg","caption":"khr0x"},"description":"I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10226"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=10226"}],"version-history":[{"count":27,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10226\/revisions"}],"predecessor-version":[{"id":10525,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10226\/revisions\/10525"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/10263"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=10226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=10226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=10226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}