Two sentences summarizing the article: Palo Alto Networks Unit 42 analyzes roughly 6,000 malicious OneNote samples to show how embedded payloads are delivered via OneNote files, revealing a phishing-like approach that uses images and fake buttons to trigger various payloads. The study finds attackers favor JavaScript, but also uses PowerShell, VBScript, HTA, EXE, and Office 97-2003 payloads, and provides insights into embedded-object GUIDs, shellcode behavior, and potential defender strategies. #OneNote #Shellcode #PowerShell #VBScript #JavaScript #Office97-2003
Keypoints
- Roughly 6,000 malicious OneNote samples from WildFire show attackers use images and fake buttons to lure interaction and execute embedded payloads.
- Attackers embed multiple payload types beyond macros, with JavaScript being the most common, followed by PowerShell, VBScript, HTA, Office 97-2003, and EXE.
- Embedded OneNote objects follow a GUID tag indicating a FileDataStoreObject, followed by the embedded file size and the payload data.
- Payload type distribution: JavaScript ~46.6%, PowerShell ~33.7%, with smaller shares for Batch, VBScript, HTA, Office 97-2003, and EXE.
- Images are ubiquitous in malicious samples (99.9% contain at least one image); median image count per payload type is 2, used as fake buttons or attention-grabbers.
- Analysis of an embedded EXE payload shows shellcode characteristics, including dynamic function resolution and a reverse TCP-style connection to a likely attacker host on port 4444.
MITRE Techniques
- [T1566.001] Phishing: Attachment – ‘phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote files.’
- [T1204.002] User Execution – ‘the interaction then executes an embedded malicious payload.’
- [T1059.007] JavaScript – ‘JavaScript (this file type is the most commonly used)’
- [T1059.001] PowerShell – ‘PowerShell’
- [T1059.005] VBScript – ‘VBScript’
- [T1059.012] HTA – ‘HTML application (HTA)’
- [T1027] Obfuscated/Compressed Files and Information – ‘dynamic address resolution for functions and hashing for function identification’ (GS:60 indicates the PEB and ROT; used to identify functions)
- [T1095] Non-Application Layer Protocol – ‘the shellcode is attempting to send or receive data by establishing a network socket’ and connects back to attacker-controlled host on port 4444
Indicators of Compromise
- [SHA256] OneNote payload hashes – d48bcca19522af9e11d5ce8890fe0b8daa01f93c95e6a338528892e152a4f63c, 92d057720eab41e9c6bb684e834da632ff3d79b1d42e027e761d21967291ca50
- [FileName] Embedded payload references – cc.EXE, Floor_Drawingshta.Doc, and document.vbs
- [Port] 4444 – used for reverse connection to attacker-controlled host as shown in EXE payload analysis
Read more: https://unit42.paloaltonetworks.com/payloads-in-malicious-onenote-samples/