Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files.
oledump.py reveals VBA macros in this sample:
Image may be NSFW.
Clik here to view.
The VBA macro contains calls to the chr function. This could encode a URL or some other payload:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
If you want more details, I made this video.
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
