Introduction

One day I was alerted that FortiMail detected an archive bomb in the attachment.

May 1 11:11:11 192.168.1.1 date=2020-05-01 time=11:11:11.620 device_id=FE800E1111000111 log_id=0100006849 type=virus subtype=infected
pri=information from="sender@gmail.com" to="recipient@mydomain.com" client_name="" client_ip="66.200.70.2"
session_id="041FLj6h006048-041OIj7j005511" msg="archive bomb detected in attachment(s)" 
log entry

I checked the file and it was nothing scary about it. A sample company DOCX document, which even wasn't compressed. That's why I prepared today a very simple Word document that should trigger archive bomb detection in FortiMail. You can get if from there (it's a legitimate file, trust me): https://packetplant.com/assets/archiveBombDocument.docx

a00957cac6c538be83d87754573fc7e6  archiveBombDocument.docx
MD5 sum

Analysis

If you have access to the FortiMail, try to send that file as an attachment through it. If Grayware scanning is enabled, you should be able to see a log entry with an archive bomb. Why did that happen?

So first of all, the Archive Bomb is a part of Grayware Scanning. You can disable or enable Grayware in general, but you can't disable just Archive Bomb detection.

Grayware defintion: https://kb.fortinet.com/kb/documentLink.do?externalID=11003

The detection of the Archive Bomb is not performed by a signature, so we can't add an exception. It's detected when the AV engine detects that there are multiple layers of archives which eventually might overload the system resources (memory, CPU).

Wait a minute! I am sending a DOCX file, not ZIP file and I'm still alerted. It's due to the nature of DOCX file.

DOCX files are created using the Open XML format, which stores documents as a collection of separate files and folders in a compressed zip package

So try to uncompress it:

├── archiveBombDocument.docx
└── archiveBombDocument_unpacked
    ├── [Content_Types].xml
    ├── _rels
    ├── docProps
    │   ├── app.xml
    │   └── core.xml
    └── word
        ├── _rels
        │   └── document.xml.rels
        ├── document.xml
        ├── fontTable.xml
        ├── media
        │   └── image1.emf
        ├── settings.xml
        ├── styles.xml
        ├── theme
        │   └── theme1.xml
        └── webSettings.xml

Now let's check compression ratio:

Archive:  archiveBombDocument.docx
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
    1364  Defl:S      358  74% 1980-01-01 00:00 2c2fab17  [Content_Types].xml
     590  Defl:S      239  60% 1980-01-01 00:00 b71a911e  _rels/.rels
    4161  Defl:S     1216  71% 1980-01-01 00:00 d8961f31  word/document.xml
     949  Defl:S      264  72% 1980-01-01 00:00 908c3725  word/_rels/document.xml.rels
14036648  Defl:S    73459 100% 1980-01-01 00:00 2e643d23  word/media/image1.emf
    8393  Defl:S     1746  79% 1980-01-01 00:00 9867f4b6  word/theme/theme1.xml
    3093  Defl:S     1102  64% 1980-01-01 00:00 a6de204d  word/settings.xml
   29367  Defl:S     2937  90% 1980-01-01 00:00 dac93135  word/styles.xml
     803  Defl:S      313  61% 1980-01-01 00:00 f1ffc140  word/webSettings.xml
    2429  Defl:S      590  76% 1980-01-01 00:00 07e009f1  word/fontTable.xml
     743  Defl:S      368  51% 1980-01-01 00:00 dab7fc31  docProps/core.xml
     984  Defl:S      462  53% 1980-01-01 00:00 7779030f  docProps/app.xml
--------          -------  ---                            -------
14089524            83054  99%                            12 files

One of the files (image1.emf) displays a compression ratio of 100%. However, if you divide Lenght by Size you can see that the compressed file is 191 times smaller! Its size is 13.3MB (14036648 bytes).

compression_ratio == uncompressed / compressed

With that knowledge, let's check what are conditions for an archive to become a bomb:

  1. compression ratio > 100               AND
  2. the size of the uncompressed file > 1M

Our file meets both criteria, that's why an entry "archive bomb detected in attachment(s)" is generated!

This can be disabled by following by editing Content Profile:

Profile --> Content --> Edit one

Summary

The file itself doesn't have to be malicious to generate an "archive bomb" alert and AV can rate file as clean. However, each attempt is worth analyzing, as an archive bomb is typically used to disable AV software by exceeding its resources to uncompress the archive.