Threat Research

OneNote Embedded file abuse

Securonix

Threat actors are abusing OneNote’s embedded files feature in phishing campaigns by hiding and executing payloads behind embedded pictures. The article explains how this technique works, how to detect it with YARA rules, and how Microsoft blocks many of these emails. #OneNoteEmbeddedFiles #Qakbot #Zbuilder

Keypoints

  • OneNote embedded files are being used in phishing campaigns to trigger malware when a user clicks a picture.
  • Embedded files can be executables, JavaScript, HTML, PowerShell, or other file types; even .chm with embedded index.html has been observed.
  • OneNote uses GUIDs to mark embedded file sections, enabling hex-based detection approaches and revealing the exact start location of embedded content.
  • A high-confidence detection approach can ignore legitimate embedded images and flag non-image embedded content using a targeted YARA rule.
  • Malicious OneNote samples are sometimes linked to a Z:builder directory and can be detected or linked via related tooling (e.g., DissectMalware extraction scripts, POCs).
  • Microsoft currently blocks many of these emails, though a subset can slip through; a baseline and alerting approach is advised to manage false positives.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Threat actors use OneNote to deliver embedded files in phishing campaigns, enticing users to click. ‘OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns.’
  • [T1204] User Execution – Users click the embedded picture, causing the hidden file to execute. ‘If the picture is clicked, it will execute the file hidden beneath.’
  • [T1059] Command and Scripting Interpreter – The embedded payload is executed via various interpreters such as PowerShell, WScript, CScript, MSHTA, CMD, and HH. ‘…one of the following processes executing the script/file: ‘powershell.exe’, ‘pwsh.exe’, ‘wscript.exe’, ‘cscript.exe’, ‘mshta.exe’, ‘cmd.exe’, ‘hh.exe’.’
  • [T1059.001] PowerShell – PowerShell or PowerShell Core is used to run the embedded payload. ‘powershell.exe’, ‘pwsh.exe’
  • [T1059.003] Windows Command Shell – CMD.exe is used to execute the embedded payload. ‘cmd.exe’
  • [T1059.005] VBScript – WScript/CScript hosts are used to run scripts from the embedded file. ‘wscript.exe’, ‘cscript.exe’

Indicators of Compromise

  • [Hash] MD5 – d2e6629f8bbca3663e1d76a06042bc1d459d81572936242c44ccc6cd896bfd5c, and 2 more hashes
  • [Filename] doc.one – observed when the embedded OneNote sample is opened and Microsoft detects it as a Qakbot dropper
  • [Path] C:UsersHeraAppDataLocalTempOneNote16.0Exported – temporary export path used during analysis or extraction of embedded content
  • [GUID] {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC} – start marker for embedded file section in OneNote
  • [Directory] Z:builder – directory path associated with malware builder tool used to create the embedded payload

Read more: https://blog.nviso.eu/2023/02/27/onenote-embedded-file-abuse/