This document is an analysis report on malware that is being actively distributed using Microsoft OneNote.
The ASEC analysis team identified the rapidly increasing trend of OneNote malware distribution from November 2022 and has classified the malware according to the level of intricacy based on the screen that appears when the file is actually opened. These categories include ‘1) The type where malicious objects are hidden with simple block images’ and ‘2) The more intricately created malicious OneNote types’. Below are example images of the samples.
1) The type where malicious objects are hidden with simple block images
2) The more intricately created malicious OneNote type
We then categorized and analyzed internal objects that perform the actual malicious behavior by file format. Internal objects were largely classified into script files/document files/executable files and script files were categorized and analyzed by file extension. The report also explains how the threat actor intended to deceive users as well as the details of how the malware attempted to avoid detection from antivirus products or IDS/IPS solutions.
We introduce types that hide internal objects, samples that use the RTLO technique (often used in PE files) in file names of non-PE types, and malicious behaviors designed to be performed through several steps that use pentest scripts such as PoshC2 framework. All of these points forecast that a more varied and intricate types of malware will be created in the future.
The detailed analysis report can be accessed from the download link below.
2. OneNote Malware Distribution Process
…. 2.1) Malicious OneNote File Distribution Trends
…. 2.2) File Names of the Malicious OneNote Files and Attached Objects
…. 2.3) Analysis of OneNote Attachment Object File Names (RTLO Technique)
…. 2.4) Malicious OneNote Sample Execution Screens
…….. 2.4.1) The type where malicious objects are hidden with simple block images
…….. 2.4.2) The more intricately created malicious OneNote type
3. Categorization and Analysis of Internal Objects in Malicious OneNote Files
…. 3.1) Script Files
…….. 3.1.1) HTA
…….. 3.1.2) VBS
…….. 3.1.3) BAT
…….. 3.1.4) WSF
…. 3.2) Document Files
…. 3.3) Executables (PE)
4. AhnLab Response Status
6. IOC (Indicators Of Compromise)
…. 6.1) File Hashes (MD5)
…. 6.2) Relevant domains, URLs, and IP addresses
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.