OneNote paperwork have emerged as a brand new malware an infection vector

The content material of this put up is solely the accountability of the writer.  AT&T doesn’t undertake or endorse any of the views, positions, or info offered by the writer on this article. 


In February 2022, Microsoft disabled VBA macros on paperwork because of their frequent use as a malware distribution technique. This transfer prompted malware authors to hunt out new methods to distribute their payloads, leading to a rise in using different an infection vectors, reminiscent of password-encrypted zip information and ISO information.

OneNote paperwork have emerged as a brand new an infection vector, which include malicious code that executes when the doc is interacted with. Emotet and Qakbot, amongst different high-end stealers and crypters, are recognized malware threats that use OneNote attachments.

Researchers are at present creating new instruments and evaluation methods to detect and forestall these OneNote attachments from getting used as a car for an infection. This text highlights this new improvement and discusses the methods that malicious actors use to compromise a system.

Assault chain

With the disablement of VBA macros, menace actors have turned to utilizing OneNote attachments as a brand new method to set up malware on an endpoint. OneNote attachments can include embedded file codecs, reminiscent of HTML, ISO, and JScripts, which could be exploited by malicious actors. OneNote attachments are notably interesting to attackers as a result of they’re interactive and designed to be added on to and interacted with, quite than simply seen. This makes it simpler for malicious actors to incorporate engaging messages and clickable buttons that may result in an infection. Consequently, customers ought to train warning when interacting with OneNote attachments, even when they seem like innocent. It’s important to make use of up to date safety software program and to concentrate on the potential dangers related to interactive information.

Electronic mail – Social engineering

Like most malware authors, attackers usually use e mail as the primary level of contact with victims. They make use of social engineering methods to influence victims to open this system and execute the code on their workstations.

phishing email OneNote

In a latest phishing try, the attacker despatched an e mail that gave the impression to be from a reliable supply and requested that the recipient obtain a OneNote attachment. Nevertheless, upon opening the attachment, the code was not routinely up to date as anticipated. As an alternative, the sufferer was introduced with a doubtlessly harmful immediate.

open OneNote

On this case, as with many OneNote attachments, the malicious actor intends for the consumer to click on on the “Open” button introduced within the doc, which executes the code. Conventional safety instruments are usually not efficient in detecting such a menace.

One software that can be utilized for analyzing Microsoft Workplace paperwork, together with OneNote attachments, is Oletools. The suite consists of the command line executable olevba, which could be useful in detecting and analyzing malicious code.

OneNote error

Upon trying to execute the software on the OneNote attachment, an error occurred. Consequently, the main target of the evaluation shifted in direction of a dynamic method. By inserting the doc in a sandbox, we found a series of scripts that had been executed to obtain and run an executable or DLL file, leading to extra extreme infections like ransomware, stealers, and wipers.

OneNote sandbox

Ways and methods 

This explicit marketing campaign employs encoded JScript information to obscure their code, using the Home windows software screnc.exe. Whereas in encoded type, the Open.jse file is just not readable.

OneNote jscript

After decoding the JScript file, a dropper for a .bat file was uncovered. When executed, the .bat file launches a PowerShell occasion, which contacts the IP tackle 198[.]44[.]140[.]32.

IP connect


To successfully fight the continually evolving menace panorama, it’s essential for analysts to remain abreast of the newest assault methods utilized by malware authors. These approaches can circumvent detection if techniques are usually not appropriately configured to forestall such attachments from bypassing correct sanitization and checks. As such, it’s important for analysts to familiarize themselves with methods to research these attachments. At present, dynamic evaluation is really helpful, as inserting a pattern in a sandbox can present vital details about the malware, together with the C2 servers it connects to, course of chain info, and the place information is written to on disk after which executed. For extra in-depth evaluation, analysts also needs to turn into conversant in the assorted file codecs sometimes related to and embedded inside OneNote attachments, reminiscent of encoded JSE information, htm paperwork, and ISOs.

Nevertheless, the perfect protection is at all times prevention. Subsequently, safety groups should replace their techniques to detect these kind of attachments and educate workers on the risks of downloading unknown and untrusted attachments.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles