.PUB Analysis

Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files.

oledump.py reveals VBA macros in this sample:

The VBA macro contains calls to the chr function. This could encode a URL or some other payload:

If you want more details, I made this video.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com


677 Posts
ISC Handler
Sep 24th 2016
Ended up blocking publisher files VIA custom IPS rules just to be on the safe side. ORG rarely utilizes them. Sad thing is our proxy NOR our E-mail gateway listed these as identifiable file types. Forcing us down the IPS avenue.

Sign Up for Free or Log In to start participating in the conversation!