{"id":166243,"date":"2023-03-30T16:37:03","date_gmt":"2023-03-30T23:37:03","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=166243"},"modified":"2023-07-11T11:17:08","modified_gmt":"2023-07-11T18:17:08","slug":"rising-trend-of-onenote-documents-for-malware-delivery","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/","title":{"rendered":"The Rising Trend of OneNote Documents for Malware delivery"},"content":{"rendered":"<p><em><span class=\"TextRun SCXW7286904 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW7286904 BCX0\" data-ccp-parastyle=\"No Spacing\">Authored By<\/span><\/span> <span class=\"TextRun SCXW7286904 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW7286904 BCX0\" data-ccp-parastyle=\"No Spacing\">Anandeshwar<\/span> <span class=\"NormalTextRun SCXW7286904 BCX0\" data-ccp-parastyle=\"No Spacing\">Unnikrishnan<\/span><span class=\"NormalTextRun SCXW7286904 BCX0\" data-ccp-parastyle=\"No Spacing\">,<\/span><span class=\"NormalTextRun SCXW7286904 BCX0\" data-ccp-parastyle=\"No Spacing\">Sakshi<\/span> <span class=\"NormalTextRun SCXW7286904 BCX0\" data-ccp-parastyle=\"No Spacing\">Jaiswal,Anuradha<\/span><span class=\"NormalTextRun SCXW7286904 BCX0\" data-ccp-parastyle=\"No Spacing\"> M<\/span><\/span><span class=\"EOP SCXW7286904 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:276}\">\u00a0<\/span><\/em><\/p>\n<p><span class=\"TextRun SCXW228790786 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun CommentStart SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\">McAfee Labs has recently <\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\">observed<\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\"> a new <\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\">Malware <\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\">campaign which use<\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\">d<\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\"> malicious OneNote documents to <\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\">entice<\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\"> users to click on an embedded file to download and execute the <\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\">Qakbot<\/span><span class=\"NormalTextRun SCXW228790786 BCX0\" data-ccp-parastyle=\"No Spacing\"> trojan.<\/span><\/span><span class=\"EOP SCXW228790786 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/office\/client-developer\/onenote\/window-interfaces-onenote?source=recommendations\"><span data-contrast=\"none\">OneNote<\/span><\/a><span data-contrast=\"auto\"> is a Microsoft digital notebook application that can be downloaded for free. It is a note-taking app that allows collaboration across organizations while enabling users to embed files and other artifacts. It is installed by default in Microsoft Office 2021 and Microsoft 365.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Malicious Actors are always trying to find new ways in to infect their victims. Such as their shift to <\/span><a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/\"><span data-contrast=\"none\">LNK files<\/span><\/a><span data-contrast=\"auto\"> after Microsoft introduced a policy change <\/span><a href=\"https:\/\/learn.microsoft.com\/en-us\/deployoffice\/security\/internet-macros-blocked\"><span data-contrast=\"none\">disabled office macros by default<\/span><\/a><span data-contrast=\"auto\">. Due to a feature that allows users to attach files to OneNote documents it makes them a good alternative to LNK files as distribution vehicle to deploy their malware. This blog contains analysis on how OneNote documents are used malicious and two specific campaigns that made use of OneNote documents to download and execute the Qakbot malware.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<h2><strong><span class=\"TextRun MacChromeBold SCXW242432043 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW242432043 BCX0\">OneNote Campaigns in the wild<\/span><\/span><span class=\"EOP SCXW242432043 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/strong><\/h2>\n<figure id=\"attachment_166602\" aria-describedby=\"caption-attachment-166602\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-166602 size-large\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-1-Campaign-Heatmap-1024x570.png\" alt=\"Figure 1 Campaign Heatmap\" width=\"1024\" height=\"570\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-1-Campaign-Heatmap-1024x570.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-1-Campaign-Heatmap-300x167.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-1-Campaign-Heatmap-768x428.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-1-Campaign-Heatmap-1536x855.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-1-Campaign-Heatmap-205x114.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-1-Campaign-Heatmap.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-166602\" class=\"wp-caption-text\">Figure 1 Campaign Heatmap<\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">Figure 1\u00a0<\/span><span data-contrast=\"none\"> shows the geo wise distribution of McAfee customers detecting malicious OneNote files.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">\u00a0Based on the telemetry from our endpoints we have identified the following threat families deployed through OneNote documents:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Iceid<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Qakbot<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">RedLine<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">AsyncRat<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Remcos<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">AgentTesla<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">QuasarRAT<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">XWORM<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Netwire<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Formbook<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Doubleback<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2><b><span data-contrast=\"auto\">Overview Of Malicious OneNote Documents<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">A holistic view of the phishing campaigns that weaponize OneNote document is shown in Figure 2 below.\u00a0 The malicious document is delivered in either zip files or ISO images to the target through phishing emails. We have observed that most of the malicious documents either have Windows batch script that invokes Powershell for dropping the malware on the system or Visual Basic scripts that does the same.<\/span><\/p>\n<figure id=\"attachment_166588\" aria-describedby=\"caption-attachment-166588\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-166588\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-2-Campaign-Overview-1024x552.png\" alt=\"\" width=\"1024\" height=\"552\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-2-Campaign-Overview-1024x552.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-2-Campaign-Overview-300x162.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-2-Campaign-Overview-768x414.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-2-Campaign-Overview-1536x828.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-2-Campaign-Overview-205x111.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-2-Campaign-Overview.png 2014w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-166588\" class=\"wp-caption-text\">Figure 2 Campaign Overview<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW102316509 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW102316509 BCX0\">The generic theme of the <\/span><span class=\"NormalTextRun SCXW102316509 BCX0\">e<\/span><span class=\"NormalTextRun SCXW102316509 BCX0\">mail is <\/span><span class=\"NormalTextRun SCXW102316509 BCX0\">i<\/span><span class=\"NormalTextRun SCXW102316509 BCX0\">nvoice or legal <\/span><span class=\"NormalTextRun SCXW102316509 BCX0\">related. These types of themes are more likely to be opened by the <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW102316509 BCX0\">vicim<\/span><span class=\"NormalTextRun SCXW102316509 BCX0\">. An example email body and attachment <\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW102316509 BCX0\">is<\/span><span class=\"NormalTextRun SCXW102316509 BCX0\"> shown in Figure 3 and 4.<\/span><\/span><span class=\"EOP SCXW102316509 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166574\" aria-describedby=\"caption-attachment-166574\" style=\"width: 624px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166574\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-3-Email-Body.png\" alt=\"\" width=\"624\" height=\"234\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-3-Email-Body.png 624w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-3-Email-Body-300x113.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-3-Email-Body-205x77.png 205w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><figcaption id=\"caption-attachment-166574\" class=\"wp-caption-text\">Figure 3 Email Body<\/figcaption><\/figure>\n<figure id=\"attachment_166560\" aria-describedby=\"caption-attachment-166560\" style=\"width: 361px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166560\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-4-Attachment.png\" alt=\"\" width=\"361\" height=\"133\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-4-Attachment.png 361w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-4-Attachment-300x111.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-4-Attachment-205x76.png 205w\" sizes=\"auto, (max-width: 361px) 100vw, 361px\" \/><figcaption id=\"caption-attachment-166560\" class=\"wp-caption-text\">Figure 4 Attachment<\/figcaption><\/figure>\n<h2><b><span data-contrast=\"auto\">A Deep Dive into OneNote File Format<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<h3><b><span data-contrast=\"auto\">File Header<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">To understand how the data is laid out in the file, we need to examine it at byte level. Taking a close look at OneNote document gives us an interesting observation as its magic bytes for the header is not a trivial one. Figure 5 shows the first 16 bytes of the document binary.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166546\" aria-describedby=\"caption-attachment-166546\" style=\"width: 703px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166546\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-5-OneNote-Header.png\" alt=\"\" width=\"703\" height=\"218\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-5-OneNote-Header.png 703w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-5-OneNote-Header-300x93.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-5-OneNote-Header-205x64.png 205w\" sizes=\"auto, (max-width: 703px) 100vw, 703px\" \/><figcaption id=\"caption-attachment-166546\" class=\"wp-caption-text\">Figure 5 OneNote Header<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW117217409 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW117217409 BCX0\">The first 16 bytes need to be interpreted as GUID value {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}. We can use the official documentation for OneNote specification to make sense of all the bytes and its structuring. Figure <\/span><span class=\"NormalTextRun SCXW117217409 BCX0\">6<\/span><span class=\"NormalTextRun SCXW117217409 BCX0\"> shows header information taken from the OneNote specification document.<\/span><\/span><span class=\"EOP SCXW117217409 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166532\" aria-describedby=\"caption-attachment-166532\" style=\"width: 782px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166532\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-6-OneNote-Specification.png\" alt=\"\" width=\"782\" height=\"457\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-6-OneNote-Specification.png 782w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-6-OneNote-Specification-300x175.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-6-OneNote-Specification-768x449.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-6-OneNote-Specification-205x120.png 205w\" sizes=\"auto, (max-width: 782px) 100vw, 782px\" \/><figcaption id=\"caption-attachment-166532\" class=\"wp-caption-text\">Figure 6 OneNote Specification<\/figcaption><\/figure>\n<p><b><span data-contrast=\"auto\">The Data Stream in OneNote, Say Hello To FileDataStoreObject<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">To find the embedded data in a OneNote document, we need to learn more about the FileDataStoreObject which has a GUID value of {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}. The structure that holds the data is shown below:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">guidHeader (16 bytes)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Size: 16 bytes<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Value: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">cbLength<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Size: 8 bytes<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Value: Size of the data<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">unused<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Size: 4 bytes<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">reserved<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Size: 8 bytes<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">FileData<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Size: Variable<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">guidFooter<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Size: 16 bytes<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Value: {71FBA722-0F79-4A0B-BB13-899256426B24}<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">The FileData member of the FileDataStoreObject is the key member that holds the embedded data in the OneNote document. The size can be retrieved from the cbLength member.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Figure 7 shows the \u201con disk\u201d representation of the FileDataStoreObject\u00a0 This is taken from a malicious OneNote document used to spread the Qakbot payload. The guidHeader for the data object is highlighted in yellow and the data is shown in red. As it is evident from the image the data represents a text file which is a script to launch PowerShell.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166518\" aria-describedby=\"caption-attachment-166518\" style=\"width: 624px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166518\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-7-Embedded-data-in-Data-object.png\" alt=\"\" width=\"624\" height=\"359\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-7-Embedded-data-in-Data-object.png 624w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-7-Embedded-data-in-Data-object-300x173.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-7-Embedded-data-in-Data-object-205x118.png 205w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><figcaption id=\"caption-attachment-166518\" class=\"wp-caption-text\">Figure 7 Embedded data in Data object<\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">For more information on the OneNote specification, go to reference section\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h3><b><span data-contrast=\"auto\">Artifact Extraction\u00a0<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">Now we have an idea of what the data object is, with this knowledge we can automate the process of extracting embedded artifacts for further analysis from the OneNote document by following the below algorithm.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\u25cf\" data-font=\"Arial\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Arial&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\u25cf&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Search for FileDataStoreObject GUID in the binary.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\u25cf\" data-font=\"Arial\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Arial&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\u25cf&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Interpret the FileDataStoreObject structure\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\u25cf\" data-font=\"Arial\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Arial&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\u25cf&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Retrieve cbLength member (size of the data represented by FileDataStoreObject)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\u25cf\" data-font=\"Arial\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Arial&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\u25cf&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Read N bytes (cbLength) after Reserved 8 bytes in FileDataStoreObject.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\u25cf\" data-font=\"Arial\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Arial&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\u25cf&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Dump the bytes read on to disk<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\u25cf\" data-font=\"Arial\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Arial&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\u25cf&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Repeat above steps for every FileDataStoreObject present in the binary<\/span><\/li>\n<\/ul>\n<h2><b><span data-contrast=\"auto\">Embedded Executable Objects In OneNote\u00a0<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<h3><b><span data-contrast=\"auto\">Execution Of Embedded Entities\u00a0<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">Looking at the runtime characteristics of OneNote Desktop application we have observed that when an embedded file gets executed by the user, it is stored temporarily in the OneNote directory in the User\u2019s Temp location. Each directory with GUID values represents a different document opened in the OneNote application.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166504\" aria-describedby=\"caption-attachment-166504\" style=\"width: 756px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166504\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-8-OneNote-directory-in-Temp.png\" alt=\"\" width=\"756\" height=\"135\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-8-OneNote-directory-in-Temp.png 756w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-8-OneNote-directory-in-Temp-300x54.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-8-OneNote-directory-in-Temp-205x37.png 205w\" sizes=\"auto, (max-width: 756px) 100vw, 756px\" \/><figcaption id=\"caption-attachment-166504\" class=\"wp-caption-text\">Figure 8 OneNote directory in Temp<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW92747738 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW92747738 BCX0\">By analyzing numerous malicious documents, we have been able to create a \u201ctest\u201d OneNote document that executes a batch file that contains the \u201c<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW92747738 BCX0\">whoami<\/span><span class=\"NormalTextRun SCXW92747738 BCX0\">\u201d command. <\/span><span class=\"NormalTextRun SCXW92747738 BCX0\">The image <\/span><span class=\"NormalTextRun SCXW92747738 BCX0\">in <\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW92747738 BCX0\">Figure\u00a0 <\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW92747738 BCX0\">9<\/span><span class=\"NormalTextRun SCXW92747738 BCX0\"> show the batch file being created in the user&#8217;s temp location<\/span><span class=\"NormalTextRun SCXW92747738 BCX0\">.<\/span><\/span><span class=\"EOP SCXW92747738 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166490\" aria-describedby=\"caption-attachment-166490\" style=\"width: 732px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166490\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-9-OneNote-drops-embedded-artifacts-in-Temp-directory.png\" alt=\"\" width=\"732\" height=\"147\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-9-OneNote-drops-embedded-artifacts-in-Temp-directory.png 732w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-9-OneNote-drops-embedded-artifacts-in-Temp-directory-300x60.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-9-OneNote-drops-embedded-artifacts-in-Temp-directory-205x41.png 205w\" sizes=\"auto, (max-width: 732px) 100vw, 732px\" \/><figcaption id=\"caption-attachment-166490\" class=\"wp-caption-text\">Figure 9 OneNote drops embedded artifacts in Temp directory<\/figcaption><\/figure>\n<h2><b><span data-contrast=\"none\">Qakbot Campaign 1:<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0,&quot;335559740&quot;:276}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"none\">This section contains specific details on a Qakbot campaign. In campaign 1, the malware author used phishing emails to deliver malicious OneNote document either as attachment or a URL link to zip file containing the OneNote document. The OneNote contained aHTA file that once executed would make use of\u00a0 the curl utility to download Qakbot and then execute it.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<h3><b><span data-contrast=\"auto\">Infection Flow:<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_166476\" aria-describedby=\"caption-attachment-166476\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-166476\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-10-Infection-Chain-1024x624.png\" alt=\"\" width=\"1024\" height=\"624\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-10-Infection-Chain-1024x624.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-10-Infection-Chain-300x183.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-10-Infection-Chain-768x468.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-10-Infection-Chain-1536x936.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-10-Infection-Chain-205x125.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-10-Infection-Chain.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-166476\" class=\"wp-caption-text\">Figure 10 Infection Chain<\/figcaption><\/figure>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Spam email delivers a malicious OneNote file as an attachment or a link to a ZIP file that contains a OneNote file.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">OneNote file contains an embedded HTA\u00a0 attachment and a fake message to lure users to execute the HTA\u00a0 file<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">The HTA file uses curl utility to download the Qakbot payload and is executed by rundll32.exe.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2><b><span data-contrast=\"auto\">Technical Analysis:<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The OneNote file with the embedded HTA file is shown in the Figure 11. Once this OneNote file is opened, it prompts the user with a fake message to double-click on open to view the attachment.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166462\" aria-describedby=\"caption-attachment-166462\" style=\"width: 780px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166462\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-11-OneNote-Template.png\" alt=\"\" width=\"780\" height=\"367\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-11-OneNote-Template.png 780w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-11-OneNote-Template-300x141.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-11-OneNote-Template-768x361.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-11-OneNote-Template-205x96.png 205w\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" \/><figcaption id=\"caption-attachment-166462\" class=\"wp-caption-text\">Figure 11 OneNote Template<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW214658402 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW214658402 BCX0\">Upon clicking the <\/span><\/span><span class=\"TextRun SCXW214658402 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW214658402 BCX0\">Open<\/span><\/span><span class=\"TextRun SCXW214658402 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW214658402 BCX0\"> button, it drops the HTA file with the name <\/span><\/span><span class=\"TextRun SCXW214658402 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW214658402 BCX0\">Open.hta<\/span><\/span><span class=\"TextRun SCXW214658402 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW214658402 BCX0\"> to the <\/span><\/span><span class=\"TextRun SCXW214658402 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW214658402 BCX0\">%temp%<\/span><\/span><span class=\"TextRun SCXW214658402 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW214658402 BCX0\"> Folder and executes it using mshta.exe.<\/span><\/span><span class=\"EOP SCXW214658402 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166448\" aria-describedby=\"caption-attachment-166448\" style=\"width: 802px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166448\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-12-Drop-file-in-Temp-location.png\" alt=\"\" width=\"802\" height=\"189\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-12-Drop-file-in-Temp-location.png 802w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-12-Drop-file-in-Temp-location-300x71.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-12-Drop-file-in-Temp-location-768x181.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-12-Drop-file-in-Temp-location-205x48.png 205w\" sizes=\"auto, (max-width: 802px) 100vw, 802px\" \/><figcaption id=\"caption-attachment-166448\" class=\"wp-caption-text\">Figure 12 Drop file in Temp location<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW100083135 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW100083135 BCX0\">The HTA file contains obfuscated script as shown <\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW100083135 BCX0\">below:<\/span><\/span><span class=\"EOP SCXW100083135 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166434\" aria-describedby=\"caption-attachment-166434\" style=\"width: 802px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166434\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-13-Obfuscated-HTA-script.png\" alt=\"\" width=\"802\" height=\"477\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-13-Obfuscated-HTA-script.png 802w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-13-Obfuscated-HTA-script-300x178.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-13-Obfuscated-HTA-script-768x457.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-13-Obfuscated-HTA-script-205x122.png 205w\" sizes=\"auto, (max-width: 802px) 100vw, 802px\" \/><figcaption id=\"caption-attachment-166434\" class=\"wp-caption-text\">Figure 13 Obfuscated HTA script<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW107901952 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW107901952 BCX0\">The HTA file is loaded by MSHTA and creates a registry key in <\/span><\/span><span class=\"TextRun SCXW107901952 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW107901952 BCX0\">HKEY_CURRENT_USER\\SOFTWARE\\<\/span><\/span><span class=\"TextRun SCXW107901952 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW107901952 BCX0\"> with obfuscated content as shown below:<\/span><\/span><span class=\"EOP SCXW107901952 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166420\" aria-describedby=\"caption-attachment-166420\" style=\"width: 731px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166420\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-14-Registry-key-creation.png\" alt=\"\" width=\"731\" height=\"155\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-14-Registry-key-creation.png 731w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-14-Registry-key-creation-300x64.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-14-Registry-key-creation-205x43.png 205w\" sizes=\"auto, (max-width: 731px) 100vw, 731px\" \/><figcaption id=\"caption-attachment-166420\" class=\"wp-caption-text\">Figure 14 Registry key creation<\/figcaption><\/figure>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">The obfuscated registry is then read by MSHTA and the obfuscated code is de-obfuscated. The code is then initialized to a new function object as shown in Block1.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Finally, MSHTA calls this function by passing the malicious URL as a parameter and then deletes the registry key as shown in Block 2.<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">De-obfuscated content from the HTA file is shown below:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166406\" aria-describedby=\"caption-attachment-166406\" style=\"width: 802px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166406\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-15-Deobfuscated-HTA-content.png\" alt=\"\" width=\"802\" height=\"236\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-15-Deobfuscated-HTA-content.png 802w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-15-Deobfuscated-HTA-content-300x88.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-15-Deobfuscated-HTA-content-768x226.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-15-Deobfuscated-HTA-content-205x60.png 205w\" sizes=\"auto, (max-width: 802px) 100vw, 802px\" \/><figcaption id=\"caption-attachment-166406\" class=\"wp-caption-text\">Figure 15 Deobfuscated HTA content<\/figcaption><\/figure>\n<ul>\n<li><span class=\"TextRun SCXW189281370 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW189281370 BCX0\">Curl is used to download the malicious DLL file in <\/span><\/span><span class=\"TextRun SCXW189281370 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW189281370 BCX0\">C:\\ProgramData<\/span><\/span><span class=\"TextRun SCXW189281370 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW189281370 BCX0\"> Folder with <\/span><\/span><span class=\"TextRun SCXW189281370 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW189281370 BCX0\">.png extension. The script will then execute the downloaded file with Rundll32.exe with the export function Wind.<\/span><\/span><\/li>\n<\/ul>\n<figure id=\"attachment_166392\" aria-describedby=\"caption-attachment-166392\" style=\"width: 680px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166392\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-16-Downloaded-payload-in-ProgramData.png\" alt=\"\" width=\"680\" height=\"137\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-16-Downloaded-payload-in-ProgramData.png 680w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-16-Downloaded-payload-in-ProgramData-300x60.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-16-Downloaded-payload-in-ProgramData-205x41.png 205w\" sizes=\"auto, (max-width: 680px) 100vw, 680px\" \/><figcaption id=\"caption-attachment-166392\" class=\"wp-caption-text\">Figure 16 Downloaded payload in ProgramData<\/figcaption><\/figure>\n<ul>\n<li><span class=\"TextRun SCXW153056017 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW153056017 BCX0\">A fake error message is displayed after loading the downloaded payload and MSHTA is terminated.\u00a0<\/span><\/span><span class=\"EOP SCXW153056017 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_166378\" aria-describedby=\"caption-attachment-166378\" style=\"width: 476px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166378\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-17-Fake-error-message.png\" alt=\"\" width=\"476\" height=\"232\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-17-Fake-error-message.png 476w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-17-Fake-error-message-300x146.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-17-Fake-error-message-205x100.png 205w\" sizes=\"auto, (max-width: 476px) 100vw, 476px\" \/><figcaption id=\"caption-attachment-166378\" class=\"wp-caption-text\">Figure 17 Fake error message<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW216015544 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW216015544 BCX0\">Figure 1<\/span><span class=\"NormalTextRun SCXW216015544 BCX0\">8<\/span><span class=\"NormalTextRun SCXW216015544 BCX0\"> shows the <\/span><span class=\"NormalTextRun CommentStart SCXW216015544 BCX0\">process tree of Qakbot:<\/span><\/span><span class=\"EOP SCXW216015544 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166364\" aria-describedby=\"caption-attachment-166364\" style=\"width: 819px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166364\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-18-Process-Chain.png\" alt=\"\" width=\"819\" height=\"126\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-18-Process-Chain.png 819w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-18-Process-Chain-300x46.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-18-Process-Chain-768x118.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-18-Process-Chain-205x32.png 205w\" sizes=\"auto, (max-width: 819px) 100vw, 819px\" \/><figcaption id=\"caption-attachment-166364\" class=\"wp-caption-text\">Figure 18 Process Chain<\/figcaption><\/figure>\n<h2><b><span data-contrast=\"auto\">IOCs:<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/h2>\n<table data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\" aria-rowcount=\"4\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Type<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Value<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Product<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Detected<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Campain 1 &#8211; OneNote File<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">88c24db6c7513f47496d2e4b81331af60a70cf8fb491540424d2a0be0b62f5ea<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">VBS\/Qakbot.a<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Campain 1 &#8211; HTA File<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">e85f2b92c0c2de054af2147505320e0ce955f08a2ff411a34dce69c28b11b4e4<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">VBS\/Qakbot.b<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Campain 1 &#8211; DLL File<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">15789B9b6f09ab7a498eebbe7c63b21a6a64356c20b7921e11e01cd7b1b495e3<\/span><span data-ccp-props=\"{&quot;201341983&quot;:2,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:420}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Qakbot-FMZ<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><b><span data-contrast=\"auto\">Campaign 2:<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/h2>\n<h3><b><span data-contrast=\"auto\">Examining Malicious OneNote Documents<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">The OneNote document for campaign 2 is shown in Figure 19. At first glance it it appears that there is a \u2018Open\u2019 button embedded within the document. The message above the \u2018Open\u2019 button instructs the user to \u201cdouble click\u201d in order to receive the attachment.<\/span><\/p>\n<figure id=\"attachment_166350\" aria-describedby=\"caption-attachment-166350\" style=\"width: 623px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166350\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-19-Malicious-content.png\" alt=\"\" width=\"623\" height=\"368\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-19-Malicious-content.png 623w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-19-Malicious-content-300x177.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-19-Malicious-content-205x121.png 205w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\" \/><figcaption id=\"caption-attachment-166350\" class=\"wp-caption-text\">Figure 19 Malicious content<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW228158291 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW228158291 BCX0\">A closer look at the <\/span><span class=\"NormalTextRun SCXW228158291 BCX0\">document<\/span><span class=\"NormalTextRun SCXW228158291 BCX0\"> reveals <\/span><span class=\"NormalTextRun SCXW228158291 BCX0\">the <\/span><span class=\"NormalTextRun SCXW228158291 BCX0\">graphical elements are all images <\/span><span class=\"NormalTextRun SCXW228158291 BCX0\">placed <\/span><span class=\"NormalTextRun SCXW228158291 BCX0\">in a layered style by the <\/span><span class=\"NormalTextRun SCXW228158291 BCX0\">malicious<\/span><span class=\"NormalTextRun SCXW228158291 BCX0\"> actor. By moving the icons aside, we can see the<\/span><span class=\"NormalTextRun SCXW228158291 BCX0\">\u00a0malicious batch file which <\/span><span class=\"NormalTextRun SCXW228158291 BCX0\">when executed <\/span><span class=\"NormalTextRun SCXW228158291 BCX0\">downloads the payload from the Internet and executes on the target system.<\/span><\/span><span class=\"EOP SCXW228158291 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166336\" aria-describedby=\"caption-attachment-166336\" style=\"width: 654px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-166336 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-20-Hidden-Malicious-dropper-script.png\" alt=\"Figure 20 Hidden Malicious dropper script \" width=\"654\" height=\"239\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-20-Hidden-Malicious-dropper-script.png 654w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-20-Hidden-Malicious-dropper-script-300x110.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-20-Hidden-Malicious-dropper-script-205x75.png 205w\" sizes=\"auto, (max-width: 654px) 100vw, 654px\" \/><figcaption id=\"caption-attachment-166336\" class=\"wp-caption-text\">Figure 20 Hidden Malicious dropper script<\/figcaption><\/figure>\n<p><b><span data-contrast=\"auto\">Execution Of Payload Dropper<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Upon execution of the batch file, Powershell will be invoked and it fetch the Qakbot payload from Internet and execute it on the target system. This section will cover details of dropper script used to deploy QakBot. The Figure 21 Show the process tree after the execution of the script and you can see that powershell.exe was launched by cmd.exe and the parent of cmd.exe is onenote.exe.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166322\" aria-describedby=\"caption-attachment-166322\" style=\"width: 274px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166322\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-21-Process-chain.png\" alt=\"\" width=\"274\" height=\"123\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-21-Process-chain.png 274w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-21-Process-chain-205x92.png 205w\" sizes=\"auto, (max-width: 274px) 100vw, 274px\" \/><figcaption id=\"caption-attachment-166322\" class=\"wp-caption-text\">Figure 21 Process chain<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW115850083 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW115850083 BCX0\">The contents of process cmd.exe (7176) are shown<\/span><\/span><span class=\"TextRun SCXW115850083 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW115850083 BCX0\"> below.\u00a0<\/span><\/span><span class=\"EOP SCXW115850083 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_166308\" aria-describedby=\"caption-attachment-166308\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166308\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-22-Cmd.exe-properties.png\" alt=\"\" width=\"650\" height=\"147\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-22-Cmd.exe-properties.png 650w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-22-Cmd.exe-properties-300x68.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-22-Cmd.exe-properties-205x46.png 205w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-166308\" class=\"wp-caption-text\">Figure 22 Cmd.exe properties<\/figcaption><\/figure>\n<p><span class=\"NormalTextRun SCXW39048421 BCX0\">The base64 decoded batch file is shown in Figure 23<\/span><span class=\"NormalTextRun SCXW39048421 BCX0\">.\u00a0 <\/span><span class=\"NormalTextRun SCXW39048421 BCX0\">This will use powershell to download the payload and then execute it with rundll32.exe<\/span><\/p>\n<figure id=\"attachment_166294\" aria-describedby=\"caption-attachment-166294\" style=\"width: 624px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-166294\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-23-Base64-Decoded-instructions-in-dropper.png\" alt=\"\" width=\"624\" height=\"149\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-23-Base64-Decoded-instructions-in-dropper.png 624w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-23-Base64-Decoded-instructions-in-dropper-300x72.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/Figure-23-Base64-Decoded-instructions-in-dropper-205x49.png 205w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><figcaption id=\"caption-attachment-166294\" class=\"wp-caption-text\">Figure 23 Base64 Decoded instructions in dropper<\/figcaption><\/figure>\n<h2><b><span data-contrast=\"auto\">\u00a0IOCS<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<table data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\" aria-rowcount=\"6\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Type<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Value<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Product<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Detected<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Campain 2 &#8211; Zip File<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"auto\">000fb3799a741d80156c512c792ce09b9c4fbd8db108d63f3fdb0194c122e2a1<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">VBS\/Qakbot.a<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Campain 2 &#8211; OneNote File<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">2bbfc13c80c7c6e77478ec38d499447288adc78a2e4b3f8da6223db9e3ac2d75<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">One\/Downloader.a<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Campain 2 \u2013 Powershell File<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424<\/span><span data-ccp-props=\"{&quot;201341983&quot;:2,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:420}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">PS\/Agent.gs<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"5\">\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Campain 2 \u2013 OneNoteFile<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">a870d31caea7f6925f41b581b98c35b162738034d5d86c0c27c5a8d78404e860\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:2,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:420}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-contrast=\"none\">VBS\/Qakbot.a<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"6\">\n<td data-celllook=\"65536\"><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-ccp-props=\"{&quot;201341983&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:420}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"65536\"><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><b><span data-contrast=\"auto\">Domains:<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">starcomputadoras.com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2><b><span data-contrast=\"auto\">Conclusion:<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:360}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">Malware authors are getting more sophisticated when it comes to hiding their payloads. This Blog highlights the recent Qakbot campaign that delivers its payload which uses the OneNote application as a delivery mechanism. McAfee Customers<\/span><span data-contrast=\"none\"> should keep their systems up-to-date and refrain from clicking links and opening attachments in suspicious emails to stay protected.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<h2><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><b><span data-contrast=\"auto\">References:<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:360}\">\u00a0<\/span><\/h2>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/office_file_formats\/ms-onestore\/405b958b-4cb7-4bac-81cc-ce0184249670\"><span data-contrast=\"auto\">https:\/\/learn.microsoft.com\/en-us\/openspecs\/office_file_formats\/ms-onestore\/405b958b-4cb7-4bac-81cc-ce0184249670<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:276}\">\u00a0<\/span><\/a><\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/office_file_formats\/ms-onestore\/8806fd18-6735-4874-b111-227b83eaac26\"><span data-contrast=\"auto\">https:\/\/learn.microsoft.com\/en-us\/openspecs\/office_file_formats\/ms-onestore\/8806fd18-6735-4874-b111-227b83eaac26<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M\u00a0 McAfee Labs has recently observed a new Malware campaign which used malicious OneNote documents&#8230;<\/p>\n","protected":false},"author":695,"featured_media":166632,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[15782,180,15783,4059,15785,15786,15781,15784],"coauthors":[4136],"class_list":["post-166243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-document-safety","tag-malware","tag-malware-on-documents","tag-microsoft","tag-microsoft-365","tag-microsoft-one-note","tag-one-note","tag-onenote"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The Rising Trend of OneNote Documents for Malware delivery | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M\u00a0 McAfee Labs has recently observed a new Malware campaign which used malicious OneNote\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Rising Trend of OneNote Documents for Malware delivery | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M\u00a0 McAfee Labs has recently observed a new Malware campaign which used malicious OneNote\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-30T23:37:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-11T18:17:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"The Rising Trend of OneNote Documents for Malware delivery\",\"datePublished\":\"2023-03-30T23:37:03+00:00\",\"dateModified\":\"2023-07-11T18:17:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/\"},\"wordCount\":1902,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png\",\"keywords\":[\"document safety\",\"malware\",\"malware on documents\",\"Microsoft\",\"microsoft 365\",\"Microsoft One Note\",\"One Note\",\"Onenote\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/\",\"name\":\"The Rising Trend of OneNote Documents for Malware delivery | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png\",\"datePublished\":\"2023-03-30T23:37:03+00:00\",\"dateModified\":\"2023-07-11T18:17:08+00:00\",\"description\":\"Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M\u00a0 McAfee Labs has recently observed a new Malware campaign which used malicious OneNote\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"The Rising Trend of OneNote Documents for Malware delivery\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Rising Trend of OneNote Documents for Malware delivery | McAfee Blog","description":"Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M\u00a0 McAfee Labs has recently observed a new Malware campaign which used malicious OneNote","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"The Rising Trend of OneNote Documents for Malware delivery | McAfee Blog","og_description":"Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M\u00a0 McAfee Labs has recently observed a new Malware campaign which used malicious OneNote","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2023-03-30T23:37:03+00:00","article_modified_time":"2023-07-11T18:17:08+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"The Rising Trend of OneNote Documents for Malware delivery","datePublished":"2023-03-30T23:37:03+00:00","dateModified":"2023-07-11T18:17:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/"},"wordCount":1902,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png","keywords":["document safety","malware","malware on documents","Microsoft","microsoft 365","Microsoft One Note","One Note","Onenote"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/","name":"The Rising Trend of OneNote Documents for Malware delivery | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png","datePublished":"2023-03-30T23:37:03+00:00","dateModified":"2023-07-11T18:17:08+00:00","description":"Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M\u00a0 McAfee Labs has recently observed a new Malware campaign which used malicious OneNote","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/03\/300x200_Blog_One-Note-Malware.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rising-trend-of-onenote-documents-for-malware-delivery\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"The Rising Trend of OneNote Documents for Malware delivery"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/166243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=166243"}],"version-history":[{"count":8,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/166243\/revisions"}],"predecessor-version":[{"id":171483,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/166243\/revisions\/171483"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/166632"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=166243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=166243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=166243"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=166243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}