 Over at the InternetStorm Center Diary Xavier wrote a diary entry about malicious documents that are now using publisher file formats. Now this is just an unknowleaf file with macros. So I obtained a sample and I will show you how you can analyze it, it's just like any other malicious document word Excel for example that uses macros. So these are the streams and you can see there is one stream here with VBA macros. So let's look into that stream, select stream 13, decompress, so here is the macro code, looks like quite some users code in here and here we have CHR codes. So this might build up a URL or something like that. So we have several of them, let's grab for CHR, we have quite a bit of them, let's convert this to a string. First of all I need to replace the addition here, this expression by its value, so the sum. And I'm going to use my translate program for that. So let me pipe this into translate, I'm going to specify a regular expression. So the regular expression is a series of digits, a space, a plus character, a space and again a series of digits. And then I can give my Python function which receives the match object from the regular expression. And let's just say that we will replace this with the letter X just as an example to see an intermediate result like this. So you can see all the numbers here, the additions have been correctly matched and replaced with an X. Of course we don't want the next way, we want to replace it with the value of that expression, so the sum. So let's do this. So I have the match string in M group 0. So it's an expression which is also a valid Python expression. So I will evaluate it and this will give me an integer which is the sum of those two numbers. But I don't need an integer here, I need a string. So I'm going to convert that integer to a string like this. And now here you have the chars with the number which is a sum. Now I'm going to convert those numbers to a string. I'm going to use my numbers to string function. And now we can already recognize something, cmd.exe. So we just need to join this. You can do this with option J join like this. And here we have the command. So when anonymizing this you can see command.exe that uses the BITS system to transfer a file, so actually to download a file. This is the source here, this is the URL. Here is a location to where the file will be saved. So it will be saved as a GIF file. Then it will be opened and then here an exit. Now I did download this. This is indeed an executable. And I have to do some further research why it is actually saved as a GIF file. Because when you open a GIF file and when it is an executable it is not executable. That will execute, but the default program to view GIF files will be started and the file will be passed to that.