|
Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files. oledump.py reveals VBA macros in this sample:
The VBA macro contains calls to the chr function. This could encode a URL or some other payload:
If you want more details, I made this video. Didier Stevens |
DidierStevens 640 Posts ISC Handler Sep 24th 2016 |
| Thread locked Subscribe |
Sep 24th 2016 5 years ago |
|
Ended up blocking publisher files VIA custom IPS rules just to be on the safe side. ORG rarely utilizes them. Sad thing is our proxy NOR our E-mail gateway listed these as identifiable file types. Forcing us down the IPS avenue.
|
Anonymous |
| Quote |
Sep 25th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
