top of page
Writer's pictureJosh Stroschein
Feb 162 min read

OneNote Malware: Hidden Payloads in Page Versions

While the abuse of OneNote documents is nothing new, a recent document I investigated revealed multiple payloads through the page versions.


Typical Abuse

OneNote document abuse tends to include simple lures that instruct users to double-click on a button or image. The trick is that that button/image overlays a script or executable that the malware author wants executed. Often, the malicious file is copied multiple times to ensure that no matter where the user double-clicks, they'll execute an instance of it. Even though there appears to be multiple files, they are all the same. Analysis typically involves extracting the embedded file(s) for analysis.


OneNote Lure
Example of a play icon that was overlaying batch scripts

Discovering More Payloads with Onedump

While you could simply copy/paste or drag/drop the file out of this document for analysis, this requires having OneNote installed. Not a difficult challenge as Microsoft offers it for free, but sometimes I don't have OneNote installed or it's just simpler to work from a terminal. This is where Didier Steven's python-based Onedump utility comes handy. Onedump, which is similar to oledump, allows you to view the embedded file.


Onedump output from the OneNote file
Onedump output from the OneNote file

Running the utility without any arguments provides embedded files in the document. The PNG files are of no interest, but the script files in indexes 1, 4, and 7 are. The last column of output is the MD5 hash of the file content. Extracting the script from the document using OneNote, I generated it's hash to confirm.


Onedump output from the OneNote file
Comparing File Hashes

And they match! If that's the only file in the document, where are the other scripts stored?

Viewing OneNote Page Versions

While we could just extract those files using Onedump, I was curious where they were stored in the OneNote document. After poking around the UI for a bit, I came across Page Versions under the History tab. In here, you can view previous versions of the OneNote document.


OneNote's Page Versions History
OneNote's Page Versions History

Restoring these versions revealed not only the use of the other images, but also the scripts.


Page versions with different lures and payloads
Page versions with different lures and payloads

Not the most exciting discovery, but interesting none-the-less. Sample referenced: https://bazaar.abuse.ch/sample/36d4b2e714d499fad827fa94dee1e2ef073574145b4fb4e4c47768500f8a92e2/

922 views

Want to know when my latest content drops? Sign-up to receive email notications and access to other exclusive content!

bottom of page