While the abuse of OneNote documents is nothing new, a recent document I investigated revealed multiple payloads through the page versions.
Typical Abuse
OneNote document abuse tends to include simple lures that instruct users to double-click on a button or image. The trick is that that button/image overlays a script or executable that the malware author wants executed. Often, the malicious file is copied multiple times to ensure that no matter where the user double-clicks, they'll execute an instance of it. Even though there appears to be multiple files, they are all the same. Analysis typically involves extracting the embedded file(s) for analysis.
Discovering More Payloads with Onedump
While you could simply copy/paste or drag/drop the file out of this document for analysis, this requires having OneNote installed. Not a difficult challenge as Microsoft offers it for free, but sometimes I don't have OneNote installed or it's just simpler to work from a terminal. This is where Didier Steven's python-based Onedump utility comes handy. Onedump, which is similar to oledump, allows you to view the embedded file.
Running the utility without any arguments provides embedded files in the document. The PNG files are of no interest, but the script files in indexes 1, 4, and 7 are. The last column of output is the MD5 hash of the file content. Extracting the script from the document using OneNote, I generated it's hash to confirm.
And they match! If that's the only file in the document, where are the other scripts stored?
Viewing OneNote Page Versions
While we could just extract those files using Onedump, I was curious where they were stored in the OneNote document. After poking around the UI for a bit, I came across Page Versions under the History tab. In here, you can view previous versions of the OneNote document.
Restoring these versions revealed not only the use of the other images, but also the scripts.
Not the most exciting discovery, but interesting none-the-less. Sample referenced: https://bazaar.abuse.ch/sample/36d4b2e714d499fad827fa94dee1e2ef073574145b4fb4e4c47768500f8a92e2/
Comments