Archive confusion

SophosLabs have been monitoring the various new file formats used in spam recently. Today I saw a strange example of a different file format. An email message with no message body, just an attachment that on first sight looked like a ZIP file:

Email message

However, when attempting to UNZIP the file, errors were observed!

When looking at the supposed ZIP file in a hex editor I saw the following.

Hex Dump

So the file is actually a RAR archive! Which a pure UNZIP utility will not extract.

RAR is a, relatively, popular proprietary archive format which has many plus points as an archiver. However, the minus points are that it is not universally installed or available to the majority of computer users. By using RAR the spammers have effectively shot themselves in the foot as the number of people capable of extracting the archive, and reading the spam message has been greatly reduced.