It's very unusual for malware authors to utilize publishing software like Microsoft Publisher which is mainly used for fancy documents and desktop publishing tasks.
So when we saw an email sample with a .pub attachment (Microsoft Office Publisher file) and the subject "Payment Advice", our suspicions were aroused. Surely this file would not be delivering anything useful to the user.
Opening the .pub file will prompt you to Enable Macros. Earlier versions of Microsoft Publisher may display instructions to "Enable Editing" and "Enable Content" .
Manually opening the VBA Editor in Microsoft Publisher and clicking ThisDocument under Project Explorer reveals the VBScript. The macro script is triggered with the function Document_Open(). As the name implies, when the file is opened, the script will access a URL and execute a downloaded file.
The code uses control objects in the forms to hide the URL it will access. It's located in the Tag Property if we examine the properties closely.
By the time we examined the sample, the URL was not accessible anymore, but a little further research indicated this URL was used for downloading a self-extracting archive, which contained the FlawedAmmyy RAT, a backdoor tool that attackers use to control your machine unknowingly. A quick analysis in our Cuckoo system confirmed that the backdoor accessed a certain IP related to FlawedAmmyy.
Machine information like "id", "os", "names" and credentials is then sent to the attacker:
As mentioned above, this campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past (see here and here). Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.
Indicators of Compromise(IOCs)
File from URL(hxxp://f79q.com/aa1):
Unpacked file (FlawwedAmmy RAT)