From 73ab130674201e8c833f54cff3ff750357ae86a2 Mon Sep 17 00:00:00 2001
From: doomedraven <doomedraven@users.noreply.github.com>
Date: Tue, 6 Sep 2016 11:15:14 +0200
Subject: [PATCH 1/2] Office publisher package :)

---
 analyzer/windows/modules/packages/pub.py | 55 ++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 analyzer/windows/modules/packages/pub.py

diff --git a/analyzer/windows/modules/packages/pub.py b/analyzer/windows/modules/packages/pub.py
new file mode 100644
index 000000000..9b9f95a87
--- /dev/null
+++ b/analyzer/windows/modules/packages/pub.py
@@ -0,0 +1,55 @@
+# Copyright (C) 2010-2015 Cuckoo Foundation.
+# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+
+from lib.common.abstracts import Package
+
+from _winreg import (OpenKey, CreateKeyEx, SetValueEx, CloseKey, QueryInfoKey, EnumKey,
+        EnumValue, HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, KEY_SET_VALUE, KEY_READ,
+        REG_SZ, REG_DWORD)
+
+class PUB(Package):
+    """Word analysis package."""
+    PATHS = [
+        ("ProgramFiles", "Microsoft Office", "MSPUB.EXE"),
+        ("ProgramFiles", "Microsoft Office", "Office*", "MSPUB.EXE"),
+        ("ProgramFiles", "Microsoft Office*", "root", "Office*", "MSPUB.EXE"),
+        ("ProgramFiles", "Microsoft Office", "MSPUB.EXE"),
+    ]
+
+    def set_keys(self):
+
+        baseOfficeKeyPath = r"Software\Microsoft\Office"
+        installedVersions = list()
+        try:
+            officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ)
+            for currentKey in xrange(0, QueryInfoKey(officeKey)[0]):
+                isVersion = True
+                officeVersion = EnumKey(officeKey, currentKey)
+                if "." in officeVersion:
+                    for intCheck in officeVersion.split("."):
+                        if not intCheck.isdigit():
+                            isVersion = False
+                            break
+
+                    if isVersion:
+                        installedVersions.append(officeVersion)
+            CloseKey(officeKey)
+        except WindowsError:
+                # Office isn't installed at all
+                return
+
+        for oVersion in installedVersions:
+            key = CreateKeyEx(HKEY_CURRENT_USER,
+                      r"{0}\{1}\Publisher\Security".format(baseOfficeKeyPath, oVersion),
+                      0, KEY_SET_VALUE)
+
+            SetValueEx(key, "VBAWarnings", 0, REG_DWORD, 1)
+            SetValueEx(key, "AccessVBOM", 0, REG_DWORD, 1)
+            SetValueEx(key, "ExtensionHardening", 0, REG_DWORD, 0)
+            CloseKey(key)
+
+    def start(self, path):
+         self.set_keys()
+         publisher = self.get_path_glob("Microsoft Office Publisher")
+         return self.execute(publisher, "\"%s\"" % path, path)

From 10fbf6e52e833916b79021be175a5584c2dffa07 Mon Sep 17 00:00:00 2001
From: doomedraven <doomedraven@users.noreply.github.com>
Date: Tue, 6 Sep 2016 12:02:03 +0200
Subject: [PATCH 2/2] recon pub ext

---
 analyzer/windows/lib/core/packages.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/analyzer/windows/lib/core/packages.py b/analyzer/windows/lib/core/packages.py
index 349b1e6be..11e92452a 100644
--- a/analyzer/windows/lib/core/packages.py
+++ b/analyzer/windows/lib/core/packages.py
@@ -26,6 +26,8 @@ def choose_package(file_type, file_name, exports):
         return "exe"
     elif "PDF" in file_type or file_name.endswith(".pdf"):
         return "pdf"
+    elif file_name.endswith(".pub"):
+        return "pub"
     elif "Rich Text Format" in file_type or \
             "Microsoft Word" in file_type or \
             "Microsoft Office Word" in file_type or \