Hi all! I'm the threat hunter who found this vulnerability. There is some confusion as to the file extension and execution. The second archive file starts with a Cyrillic "Es" character, in-the-wild the file extension is .do[es]/.doc. Where [es] is the placeholder for the Cyrillic character which looks like a Latin "c" character. In many cases commonly used extensions are tied to applications which will open these files by default. Since .do[es] is not tied to any program Windows doesn't know how to handle it. Now the interesting thing is 7-ZIP will not only look at the file extension BUT the files magic bytes "\x37\x7A\xBC\xAF \x27 \x1C" in the header. Recognizing the 7-Zip magic bytes, 7-Zip will then proceed to process this file as an archive, the contents of which will not receive mark-of-the-web protections due to CVE-2025-0411.
