Threat Level: green Handler on Duty: Tom Webb

SANS ISC: .PUB Analysis - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
.PUB Analysis

Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files.

oledump.py reveals VBA macros in this sample:

The VBA macro contains calls to the chr function. This could encode a URL or some other payload:

If you want more details, I made this video.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

354 Posts
ISC Handler
Ended up blocking publisher files VIA custom IPS rules just to be on the safe side. ORG rarely utilizes them. Sad thing is our proxy NOR our E-mail gateway listed these as identifiable file types. Forcing us down the IPS avenue.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!