Analyzing Malicious OneNote Documents (Patreon)
Content
Starting with the malicious OneNote document we begin by checking the strings within it. The strings aren't too interesting besides a reference to a bat file on a Desktop with username RAZER. After checking the strings we'll want to take the OneNote document apart so we use a tool called OneNoteAnalyzer to do this. This tool automatically disassembles the OneNote file and then will give us all of the contained information making our malware analysis much easier. I run OneNote Analyzer on the file and it gives me some information about the embedded files along with the text within the OneNote file and any images or hyperlinks within the OneNote file. This has made our malware analysis process much easier but it doesn't stop there. Looking at the output of the tool we see the batch file that was referenced within the strings of the file.