Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: .PUB Analysis - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
.PUB Analysis

Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files. reveals VBA macros in this sample:

The VBA macro contains calls to the chr function. This could encode a URL or some other payload:

If you want more details, I made this video.

Didier Stevens
Microsoft MVP Consumer Security


652 Posts
ISC Handler
Sep 24th 2016
Ended up blocking publisher files VIA custom IPS rules just to be on the safe side. ORG rarely utilizes them. Sad thing is our proxy NOR our E-mail gateway listed these as identifiable file types. Forcing us down the IPS avenue.

Sign Up for Free or Log In to start participating in the conversation!