Click HERE to learn more about classes Didier is teaching for SANS

.PUB Analysis

Published: 2016-09-24. Last Updated: 2016-09-24 21:10:00 UTC
by Didier Stevens (Version: 1)
1 comment(s)

Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files.

oledump.py reveals VBA macros in this sample:

The VBA macro contains calls to the chr function. This could encode a URL or some other payload:

If you want more details, I made this video.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
1 comment(s)
Click HERE to learn more about classes Didier is teaching for SANS

Comments

Ended up blocking publisher files VIA custom IPS rules just to be on the safe side. ORG rarely utilizes them. Sad thing is our proxy NOR our E-mail gateway listed these as identifiable file types. Forcing us down the IPS avenue.

Anonymous

Sep 25th 2016
9 years ago

Login here to join the discussion.


Top of page
Diary Archives