Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files. oledump.py reveals VBA macros in this sample: The VBA macro contains calls to the chr function. This could encode a URL or some other payload: If you want more details, I made this video. Didier Stevens |
DidierStevens 520 Posts ISC Handler Sep 24th 2016 |
Thread locked Subscribe |
Sep 24th 2016 4 years ago |
Ended up blocking publisher files VIA custom IPS rules just to be on the safe side. ORG rarely utilizes them. Sad thing is our proxy NOR our E-mail gateway listed these as identifiable file types. Forcing us down the IPS avenue.
|
Anonymous |
Quote |
Sep 25th 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!