Analyzing Malicious OneNote Documents (Patreon)

Published:

2023-03-16 17:46:27

Imported:

2023-03

Content

Starting with the malicious OneNote document we begin by checking the strings within it. The strings aren't too interesting besides a reference to a bat file on a Desktop with username RAZER. After checking the strings we'll want to take the OneNote document apart so we use a tool called OneNoteAnalyzer to do this. This tool automatically disassembles the OneNote file and then will give us all of the contained information making our malware analysis much easier. I run OneNote Analyzer on the file and it gives me some information about the embedded files along with the text within the OneNote file and any images or hyperlinks within the OneNote file. This has made our malware analysis process much easier but it doesn't stop there. Looking at the output of the tool we see the batch file that was referenced within the strings of the file.

Files

Malicious OneNote Documents - Malware Analysis

Learn how to analyze malicious OneNote Documents Support us on GH: https://guidedhacking.com/register/ Support us on Patreon: https://patreon.com/guidedhacking Support us on YT: https://www.youtube.com/channel/UCCMi6F5Ac3kQDfffWXQGZDw/join Recently, there has been a surge in the use of OneNote documents as a vehicle for malware distribution by both commodity e-crime actors and more sophisticated threat actors. In response to this new emerging threat, we employed our malware analysis skills to dissect a OneNote document and understand its functioning. OneNote Malware Analysis Article here: https://guidedhacking.com/threads/analyzing-malicious-onenote-documents-spreading-asyncrat.20306/ Our analysis began with examining the strings within the document, which provided a reference to a bat file on a Desktop with username RAZER. To further deconstruct the OneNote document, we utilized a tool called OneNote Analyzer, which automatically disassembles the file and extracts all the contained information, such as text, images, hyperlinks, and embedded files. This tool facilitated our malware analysis process significantly and revealed the batch file that was referenced in the strings. Upon inspecting the batch file, we found that it was obfuscated. To deobfuscate it, we used an echo command to print the commands to the command line for easier reading. Within the batch file, there was a long string of base64 information that potentially contained our final payload. However, decryption of the information did not result in anything significant, so we had to continue our malware analysis of the code. Further analysis of the code revealed that it was PowerShell code that first set the location of the PowerShell executable. Then it initialized an AES decryption class, a base64 decoding class, and a gzip decompression class. After that, the code obtained the IV and key from the base64-encrypted data, used it to AES decrypt the code after base64 decoding, gunzipped it, and sent it to the final function, which invoked the decrypted data. This decrypted data was AsyncRAT, a remote access trojan that infects the victim's computer. The use of OneNote documents as a malware delivery mechanism underscores the importance of maintaining a proactive stance towards threat intelligence and security. It is crucial to stay vigilant and employ robust security measures to prevent potential attacks. #malware #malwareanalysis #fr3dhk Follow us on Facebook : http://bit.ly/2vvHfhk Follow us on Twitter : http://bit.ly/3bC7J1i Follow us on Twitch : http://bit.ly/39ywOZ2 Follow us on Reddit : http://bit.ly/3bvOB57 Follow us on GitHub : http://bit.ly/2HoNXIS Follow us on Instagram : http://bit.ly/2SoDOlu Malicious OneNote Documents fr3dhk onenote malware analysis reverse engineering onenote malware analysis