Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Using unicode to trick users to install malware

Our partner Openfind Information Technology, Inc., providing message communication, security and assurance solutions and based in Taiwan, have detected increased use of a new technique used to trick users into opening malware executables. The files are distributed via email (compressed). The emails includes standard “you have received an important document which is attached” text.

When the archive is opened, the filename appears to be of the promised .doc or .xls type. However, the filename includes a unicode string that effectively hides the .exe or .scr file type.

These are examples of the types of filenames used:

  • Costing Cap[U+202E]slx.exe
  • Calenda[U+202E]cod.scr

Note the Unicode control characters in brackets: [U+202E]. This code has the function of a “Right to Left Override” (RLO). Any text to the right of this code will be reversed. Thus the final few letters of the examples above appear as:

  • exe.xls (appears to be an MS-Excel file)
  • rcs.doc (appears to be an MS-Word file)

Since the control code is not actually displayed when the filename is shown in the operating system, the filenames would appear to be:

  • Costing Capexe.xls
  • Calendarcs.doc (see example below)
Our Command AV lab confirms that the file shown above will actually open an embedded MS-Word document – but will also start the malware installation process in parallel.
For more information about Openfind visit:

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...