Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-08-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Publisher malware: static analysis

Published: 2018-08-25
Last Updated: 2018-08-25 23:17:25 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I want to illustrate how to perform a static analysis of the malicious Publisher file Xavier analyzed yesterday.

Publisher files can contain macros, in the same way as Word and Excel files. oledump.py can extract macros from Publisher files too:

Several strings are hidden in UserForm1, for example the type of object to create, and the URL.

Streams 13 through 19 contain data for UserForm1, like tag values:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc publisher
0 comment(s)
Diary Archives