It's very unusual for malware authors to utilize publishing software like Microsoft Publisher which is mainly used for fancy documents and desktop publishing tasks.
So when we saw an email sample with a .pub attachment (Microsoft Office Publisher file) and the subject "Payment Advice", our suspicions were aroused. Surely this file would not be delivering anything useful to the user.
Opening the .pub file will prompt you to Enable Macros. Earlier versions of Microsoft Publisher may display instructions to "Enable Editing" and "Enable Content" .
Manually opening the VBA Editor in Microsoft Publisher and clicking ThisDocument under Project Explorer reveals the VBScript. The macro script is triggered with the function Document_Open(). As the name implies, when the file is opened, the script will access a URL and execute a downloaded file.
The code uses control objects in the forms to hide the URL it will access. It's located in the Tag Property if we examine the properties closely.
By the time we examined the sample, the URL was not accessible anymore, but a little further research indicated this URL was used for downloading a self-extracting archive, which contained the FlawedAmmyy RAT, a backdoor tool that attackers use to control your machine unknowingly. A quick analysis in our Cuckoo system confirmed that the backdoor accessed a certain IP related to FlawedAmmyy.
Machine information like "id", "os", "names" and credentials is then sent to the attacker:
As mentioned above, this campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past. Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.
Indicators of Compromise(IOCs)
PUB File:
MD5 5fdeaa5e62fabc9933352efe016f1565
SHA1 7141932617f4718521bda0a960a036114769872d
File from URL(hxxp://f79q.com/aa1):
MD5 be6a53fbee5529a1cdbdd4345c191dfa
SHA1 985b44e7280b0293d08982c466d95ed86452fb73
Unpacked file (FlawwedAmmy RAT)
MD5 bacd1120ad0918b81d98de9b9acb69ce
SHA1 b65c2fc63ff2db8ed69ec7e856702f85f5af319e