How to quickly find out what the threat nature of a password protected archive without getting infected?


I have recently received an e-mail from an existing support group e-mail box with the following characteristics:

  • written in the language used in company’s HQ (different from English which is the primary communication language)
  • had a zip attachment
  • provides a clear password for the attachment
  • is a reply of a legitimate e-mail I have received from a colleague a few months ago

This seems to be similar to what is described here, so there is very high chance to have received an infected file. After a couple of hours, our security department sent an e-mail related to similar cases happening inside the company.

I am wondering about how to find out the exact nature of the threat in a secure way. I have tried the following (only the first step inside the company, the rest within a VM):

  • checked on VirusTotal, but received 0% detection which makes sense since the engines cannot scan the encrypted archive
  • Checked with the Nanoav which boast about scanning password protected archives, but it does not allow to input the password
  • opened the archive with 7zip and saw a document inside
  • extracted the file using 7zip and uploaded the document to VirusTotal => 13+ engines detected something weird.

Do previewing and extracting the archive impose any security risk or is it only the document inside that can be infected? (in this case it seems to employ a macro).

Question: How to quickly find out what exactly the threat nature of a password protected archive without getting infected?