Malware Delivered via '.pub' Files

Published: 2016-09-05
Last Updated: 2016-09-05 15:01:00 UTC
by Xavier Mertens (Version: 1)
3 comment(s)

While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it support also macros. 

By using .pub files, attackers make one step forward because potential victims don't know the extension ".pub" (which can be interpreted as "public" or "publicity" and make the document less suspicious), Spam filters do not block this type of file extension. Finally, researchers are also impacted because their sandbox environments do not have Publisher installed by default, making the sample impossible to analyze!

A sample of a malicious .pub file is already available on VT[4] with a low detection score (5/55).

Stay safe!

[1] https://isc.sans.edu/forums/diary/Voice+Message+Notifications+Deliver+Ransomware/21397/
[2] https://isc.sans.edu/forums/diary/Todays+Locky+Variant+Arrives+as+a+Windows+Script+File/21423/
[3] https://products.office.com/en/publisher
[4] https://www.virustotal.com/en/file/24441d0573c255852f28e558001883a00bc2f18816f48653d63429065d1f37fd/analysis/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

3 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives