Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files.

oledump.py reveals VBA macros in this sample:

The VBA macro contains calls to the chr function. This could encode a URL or some other payload:

If you want more details, I made this video.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
OpenSSL CVE-2016-6304 Denial of Service Vulnerability
 
IBM Connections CVE-2016-2999 Information Disclosure Vulnerability
 
IBM WebSphere MQ CVE-2016-0379 Denial of Service Vulnerability
 
IBM WebSphere Application Server Liberty CVE-2016-0378 Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status