<\/a><\/figure>\n\n\n\nOnce the RAR file is opened, the CVE-2023-38831 exploit triggers the execution of the COOKBOX malware.<\/p>\n\n\n\n
The RAR archive contains multiple files, including one with the Unicode character \u201cU+201F,\u201d which appears as whitespace on Windows systems. This character can hide file extensions by adding excessive whitespace, making a malicious CMD file (\u201c\u0420\u0430\u0445\u0443\u043d\u043e\u043a \u043d\u0430 \u043e\u043f\u043b\u0430\u0442\u0443.pdf[unicode character U+201F].cmd\u201d) look like a PDF document. The archive also includes a benign PDF with the same name minus the Unicode character. Upon opening the archive, the directory name also matches the benign PDF name. This naming overlap exploits the WinRAR vulnerability CVE-2023-38831, causing the malicious CMD to execute when the target attempts to open the benign PDF.<\/gwmw><\/p>\n\n\n\n