Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Malware Delivered via '.pub' Files - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware Delivered via '.pub' Files

While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it support also macros. 

By using .pub files, attackers make one step forward because potential victims don't know the extension ".pub" (which can be interpreted as "public" or "publicity" and make the document less suspicious), Spam filters do not block this type of file extension. Finally, researchers are also impacted because their sandbox environments do not have Publisher installed by default, making the sample impossible to analyze!

A sample of a malicious .pub file is already available on VT[4] with a low detection score (5/55).

Stay safe!

[1] https://isc.sans.edu/forums/diary/Voice+Message+Notifications+Deliver+Ransomware/21397/
[2] https://isc.sans.edu/forums/diary/Todays+Locky+Variant+Arrives+as+a+Windows+Script+File/21423/
[3] https://products.office.com/en/publisher
[4] https://www.virustotal.com/en/file/24441d0573c255852f28e558001883a00bc2f18816f48653d63429065d1f37fd/analysis/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

263 Posts
ISC Handler
se https://myonlinesecurity.co.uk/exxonmobile-introduction-letter-malspam-with-macro-enabled-microsoft-publisher-files-distribute-malware/ and https://myonlinesecurity.co.uk/is-it-an-apt-or-just-another-everyday-malware-attack/
DVK01

18 Posts Posts
Another version https://www.virustotal.com/en/file/f04fdcd91d2a2f7df019ff67a9e56c2b545b305a1781680f49162c5dfc9fd405/analysis/1473138119/
DVK01

18 Posts Posts
here is also my analysis on some pub files were spreading in the region.
http://moradlabs.blogspot.com/2016/09/the-case-of-malicious-pub-file.html
Mo

1 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!