I want to illustrate how to perform a static analysis of the malicious Publisher file Xavier analyzed yesterday. Publisher files can contain macros, in the same way as Word and Excel files. oledump.py can extract macros from Publisher files too: Several strings are hidden in UserForm1, for example the type of object to create, and the URL. Streams 13 through 19 contain data for UserForm1, like tag values:
Didier Stevens |
DidierStevens 638 Posts ISC Handler Aug 25th 2018 |
Thread locked Subscribe |
Aug 25th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!