Opalsec

|

|

OneNote emerges as the latest maldoc format of choice

Written by

Opalsec

in

OneNote emerges as the latest maldoc format of choice

The revolving door of maldocs continues, with OneNote documents the latest seen abused in-the-wild.

The collaborative file format has been leveraged in a limited number of campaigns to deliver malware, with ASyncRAT and xworm among the malware families seen distributed.

Uptake of the document format hasn’t been widespread just yet, but given the novelty and utility of the delivery method, it’s worth familiarising yourself with the tools and techniques needed to analyse such payloads.

A bit of background

While actors can’t embed VBA macros in OneNote files like they can with Word and Excel documents, there are a number of other advantages:

  • OneNote files are not affected by Protected View/ Mark-of-the-Web;
  • Allows embedding Malicious Excel/Word/PPT files that will be played without protected view;
  • Allows embedding HTA, LNK, EXE files and spoof extensions;
  • The document can be formatted in order to trick users into opening a malicious file or a link;
  • Can be automated using OneNote.Application and XML.

For a full overview of its potential, have a look at the full article assessing its viability for Red Team activities here.

Analysis Tips

Didier Stevens has shared this write-up of how he extracted an executable embedded in a OneNote file, along with a new Python script (still in beta) he created to help with the task.

If you’ve got more time to spare to watch a video, Josh Stroschein has shared this walkthrough of a OneNote file he picked apart:

Tools for Analysis

A few tools have been flagged by the community, which can help in analysing OneNote files:

  1. One-Extract by Volexity
  2. OneNoteAnalyzer
  3. OneDump.py by Didier Stevens

Detection Rules

  1. YARA
  2. Sigma

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts