Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-09-24 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

.PUB Analysis

Published: 2016-09-24
Last Updated: 2016-09-24 21:10:00 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files.

oledump.py reveals VBA macros in this sample:

The VBA macro contains calls to the chr function. This could encode a URL or some other payload:

If you want more details, I made this video.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
0 comment(s)
Diary Archives