Magic: MWDB recognizes PE files as zip archives

[yankovs]

Environment information

• MWDB version (from /about): v2.12.0
• Installation method:
  • mwdb.cert.pl service
  • From PyPi (pip install mwdb-core)
  • From docker-compose
  • Other (please explain)

Behaviour the bug (what happened?)

PE files sometimes get identified as being zip. They get the wrong magic identification in the type field

Expected behaviour

Have PE magic as normal

Screenshots

Additional context

PE files that get correctly identified by VT but wrong by MWDB:

• ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b
• a4d806800a7e2db9c3b0f91a7eb5560d78ccf172921a7dea732db40ede0ed92d
• 969e044d2c3de643992af80d374f5e0a6bb308b0ae7c5ea5287028b5e3614531
• 5b1be150225de6a35e9d3db41e566780138d4bc8bec6099be5b15de230f612a7

In our database, we've identified more than 2500 such samples, so there are more examples if needed.

[psrok1]

MWDB uses libmagic for that (the same thing as in file command) and it's regression in libmagic 5.44 (problem persists in 5.45)

$ ./file -m ../magic/magic.mgc -v
file-5.43
magic file from ../magic/magic.mgc

$ ./file -m ../magic/magic.mgc ~/ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b 
ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

vs

$ ./file -m ../magic/magic.mgc -v
file-5.44
magic file from ../magic/magic.mgc

$ ./file -m ../magic/magic.mgc ~/ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b 
ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b: Zip archive, with extra data prepended