According to our friends at Commtouch, malware using Right to Left Override (RLO) Unicode tricks have "resurfaced extensively in the past week". Unicode character (U+202E) "reverses" text for languages that are traditionally read from right to left, and it's a feature that can be used to obfuscate file names.

We examined a sample a few days ago.

Here's the archive file viewed in Windows:



The Windows Compressed Folder view shows us that the extension is ".exe" and that the file type is an Application:



But once extracted, the file appears to have an extension of ".doc".

Windows Explorer recognizes the file as an application, but the malware is using a Word icon as part of its social engineering trickery.



Being curious, we decided to test some third-party archive managers.

Here's the malware as viewed in WinZip:



Here's WinRAR:



And here's 7-Zip:



Surprisingly to us, 7-Zip doesn't display the file type even though it sorts by type.

In any case, be aware of this RLO trick, and carefully examine any archived attachments before extracting and/or opening them.