Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M 
McAfee Labs has recently observed a new Malware campaign which used malicious OneNote documents to entice users to click on an embedded file to download and execute the Qakbot trojan. 
OneNote is a Microsoft digital notebook application that can be downloaded for free. It is a note-taking app that allows collaboration across organizations while enabling users to embed files and other artifacts. It is installed by default in Microsoft Office 2021 and Microsoft 365.   
Malicious Actors are always trying to find new ways in to infect their victims. Such as their shift to LNK files after Microsoft introduced a policy change disabled office macros by default. Due to a feature that allows users to attach files to OneNote documents it makes them a good alternative to LNK files as distribution vehicle to deploy their malware. This blog contains analysis on how OneNote documents are used malicious and two specific campaigns that made use of OneNote documents to download and execute the Qakbot malware.  
OneNote Campaigns in the wild 
Figure 1 Campaign Heatmap
Figure 1  shows the geo wise distribution of McAfee customers detecting malicious OneNote files. 
 Based on the telemetry from our endpoints we have identified the following threat families deployed through OneNote documents: 

Iceid 
Qakbot
RedLine
AsyncRat
Remcos
AgentTesla
QuasarRAT
XWORM
Netwire
Formbook
Doubleback 

Overview Of Malicious OneNote Documents 
A holistic view of the phishing campaigns that weaponize OneNote document is shown in Figure 2 below.  The malicious document is delivered in either zip files or ISO images to the target through phishing emails. We have observed that most of the malicious documents either have Windows batch script that invokes Powershell for dropping the malware on the system or Visual Basic scripts that does the same.
Figure 2 Campaign Overview
The generic theme of the email is invoice or legal related. These types of themes are more likely to be opened by the vicim. An example email body and attachment is shown in Figure 3 and 4. 
Figure 3 Email Body
Figure 4 Attachment
A Deep Dive into OneNote File Format 
File Header 
To understand how the data is laid out in the file, we need to examine it at byte level. Taking a close look at OneNote document gives us an interesting observation as its magic bytes for the header is not a trivial one. Figure 5 shows the first 16 bytes of the document binary. 
Figure 5 OneNote Header
The first 16 bytes need to be interpreted as GUID value {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}. We can use the official documentation for OneNote specification to make sense of all the bytes and its structuring. Figure 6 shows header information taken from the OneNote specification document. 
Figure 6 OneNote Specification
The Data Stream in OneNote, Say Hello To FileDataStoreObject 
To find the embedded data in a OneNote document, we need to learn more about the FileDataStoreObject which has a GUID value of {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}. The structure that holds the data is shown below: 

guidHeader (16 bytes) 
Size: 16 bytes 
Value: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC} 
cbLength 
Size: 8 bytes 
Value: Size of the data 
unused 
Size: 4 bytes 
reserved 
Size: 8 bytes 
FileData 
Size: Variable 
guidFooter 
Size: 16 bytes 
Value: {71FBA722-0F79-4A0B-BB13-899256426B24} 

The FileData member of the FileDataStoreObject is the key member that holds the embedded data in the OneNote document. The size can be retrieved from the cbLength member. 
Figure 7 shows the “on disk” representation of the FileDataStoreObject  This is taken from a malicious OneNote document used to spread the Qakbot payload. The guidHeader for the data object is highlighted in yellow and the data is shown in red. As it is evident from the image the data represents a text file which is a script to launch PowerShell.  
Figure 7 Embedded data in Data object
For more information on the OneNote specification, go to reference section  
Artifact Extraction  
Now we have an idea of what the data object is, with this knowledge we can automate the process of extracting embedded artifacts for further analysis from the OneNote document by following the below algorithm. 

Search for FileDataStoreObject GUID in the binary. 
Interpret the FileDataStoreObject structure  
Retrieve cbLength member (size of the data represented by FileDataStoreObject) 
Read N bytes (cbLength) after Reserved 8 bytes in FileDataStoreObject. 
Dump the bytes read on to disk 
Repeat above steps for every FileDataStoreObject present in the binary

Embedded Executable Objects In OneNote  
Execution Of Embedded Entities  
Looking at the runtime characteristics of OneNote Desktop application we have observed that when an embedded file gets executed by the user, it is stored temporarily in the OneNote directory in the User’s Temp location. Each directory with GUID values represents a different document opened in the OneNote application. 
Figure 8 OneNote directory in Temp
By analyzing numerous malicious documents, we have been able to create a “test” OneNote document that executes a batch file that contains the “whoami” command. The image in Figure  9 show the batch file being created in the user’s temp location. 
Figure 9 OneNote drops embedded artifacts in Temp directory
Qakbot Campaign 1: 
This section contains specific details on a Qakbot campaign. In campaign 1, the malware author used phishing emails to deliver malicious OneNote document either as attachment or a URL link to zip file containing the OneNote document. The OneNote contained aHTA file that once executed would make use of  the curl utility to download Qakbot and then execute it. 
Infection Flow: 
Figure 10 Infection Chain

Spam email delivers a malicious OneNote file as an attachment or a link to a ZIP file that contains a OneNote file. 
OneNote file contains an embedded HTA  attachment and a fake message to lure users to execute the HTA  file 
The HTA file uses curl utility to download the Qakbot payload and is executed by rundll32.exe. 

Technical Analysis: 
The OneNote file with the embedded HTA file is shown in the Figure 11. Once this OneNote file is opened, it prompts the user with a fake message to double-click on open to view the attachment. 
Figure 11 OneNote Template
Upon clicking the Open button, it drops the HTA file with the name Open.hta to the %temp% Folder and executes it using mshta.exe. 
Figure 12 Drop file in Temp location
The HTA file contains obfuscated script as shown below: 
Figure 13 Obfuscated HTA script
The HTA file is loaded by MSHTA and creates a registry key in HKEY_CURRENT_USERSOFTWARE with obfuscated content as shown below: 
Figure 14 Registry key creation

The obfuscated registry is then read by MSHTA and the obfuscated code is de-obfuscated. The code is then initialized to a new function object as shown in Block1. 
Finally, MSHTA calls this function by passing the malicious URL as a parameter and then deletes the registry key as shown in Block 2.

De-obfuscated content from the HTA file is shown below: 
Figure 15 Deobfuscated HTA content

Curl is used to download the malicious DLL file in C:ProgramData Folder with .png extension. The script will then execute the downloaded file with Rundll32.exe with the export function Wind.

Figure 16 Downloaded payload in ProgramData

A fake error message is displayed after loading the downloaded payload and MSHTA is terminated.  

Figure 17 Fake error message
Figure 18 shows the process tree of Qakbot: 
Figure 18 Process Chain
IOCs: 

Type 
Value 
Product 
Detected 

Campain 1 – OneNote File 
88c24db6c7513f47496d2e4b81331af60a70cf8fb491540424d2a0be0b62f5ea 
Total Protection and LiveSafe 
VBS/Qakbot.a 

Campain 1 – HTA File 
e85f2b92c0c2de054af2147505320e0ce955f08a2ff411a34dce69c28b11b4e4 
Total Protection and LiveSafe 
VBS/Qakbot.b 

Campain 1 – DLL File 
15789B9b6f09ab7a498eebbe7c63b21a6a64356c20b7921e11e01cd7b1b495e3 
Total Protection and LiveSafe 
Qakbot-FMZ 

Campaign 2: 
Examining Malicious OneNote Documents 
The OneNote document for campaign 2 is shown in Figure 19. At first glance it it appears that there is a ‘Open’ button embedded within the document. The message above the ‘Open’ button instructs the user to “double click” in order to receive the attachment.
Figure 19 Malicious content
A closer look at the document reveals the graphical elements are all images placed in a layered style by the malicious actor. By moving the icons aside, we can see the malicious batch file which when executed downloads the payload from the Internet and executes on the target system. 
Figure 20 Hidden Malicious dropper script
Execution Of Payload Dropper 
Upon execution of the batch file, Powershell will be invoked and it fetch the Qakbot payload from Internet and execute it on the target system. This section will cover details of dropper script used to deploy QakBot. The Figure 21 Show the process tree after the execution of the script and you can see that powershell.exe was launched by cmd.exe and the parent of cmd.exe is onenote.exe. 
Figure 21 Process chain
The contents of process cmd.exe (7176) are shown below.  
Figure 22 Cmd.exe properties
The base64 decoded batch file is shown in Figure 23.  This will use powershell to download the payload and then execute it with rundll32.exe
Figure 23 Base64 Decoded instructions in dropper
 IOCS 

Type 
Value 
Product 
Detected 

Campain 2 – Zip File 
000fb3799a741d80156c512c792ce09b9c4fbd8db108d63f3fdb0194c122e2a1 
 
Total Protection and LiveSafe 
VBS/Qakbot.a 

Campain 2 – OneNote File 
2bbfc13c80c7c6e77478ec38d499447288adc78a2e4b3f8da6223db9e3ac2d75 
Total Protection and LiveSafe 
One/Downloader.a 

Campain 2 – Powershell File 
b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424 
Total Protection and LiveSafe 
PS/Agent.gs 

Campain 2 – OneNoteFile 
a870d31caea7f6925f41b581b98c35b162738034d5d86c0c27c5a8d78404e860  
Total Protection and LiveSafe 
VBS/Qakbot.a 

 
 
 
 

Domains: 
starcomputadoras.com 
Conclusion: 
Malware authors are getting more sophisticated when it comes to hiding their payloads. This Blog highlights the recent Qakbot campaign that delivers its payload which uses the OneNote application as a delivery mechanism. McAfee Customers should keep their systems up-to-date and refrain from clicking links and opening attachments in suspicious emails to stay protected. 
 References: 
https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/405b958b-4cb7-4bac-81cc-ce0184249670 
https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/8806fd18-6735-4874-b111-227b83eaac26 
The post The Rising Trend of OneNote Documents for Malware delivery appeared first on McAfee Blog.