The Internet Storm Center and other security sites are working of new dangers for “*.PUB” files, in case that needs to be added to the blocked extension lists for email filtering of incoming items.

https://isc.sans.edu/forums/diary/Malware+Delivered+via+pub+Files/21443/

https://myonlinesecurity.co.uk/is-it-an-apt-or-just-another-everyday-malware-attack/

https://myonlinesecurity.co.uk/exxonmobile-introduction-letter-malspam-with-macro-enabled-microsoft-publisher-files-distribute-malware/

My view is, if we can block the delivery mechanism, it really doesn’t matter what the end result malware is. If it cannot get to the computer, the “victim” is safe. Usual macro delivery method is word or excel where the bad guys get the most bang for their bucks.

While searching for new scenarios to deliver their malwares, attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it support also macros.

By using .pub files, attackers make one step forward because potential victims don’t know the extension “.pub” (which can be interpreted as “public” or “publicity” and make the document less suspicious), Spam filters do not block this type of file extension. Finally, researchers are also impacted because their sandbox environments do not have Publisher installed by default, making the sample impossible to analyze!