Suspicious File Created Via OneNote Application

 1title: Suspicious File Created Via OneNote Application
 2id: fcc6d700-68d9-4241-9a1a-06874d621b06
 3status: test
 4description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
 5references:
 6    - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
 7    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
 8    - https://twitter.com/MaD_c4t/status/1623414582382567424
 9    - https://labs.withsecure.com/publications/detecting-onenote-abuse
10    - https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/
11    - https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023-02-09
14modified: 2023-02-27
15tags:
16    - attack.defense-evasion
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        Image|endswith:
23            - '\onenote.exe'
24            - '\onenotem.exe'
25            - '\onenoteim.exe'
26        TargetFilename|contains: '\AppData\Local\Temp\OneNote\'
27        TargetFilename|endswith:
28            # TODO: Add more suspicious extensions
29            - '.bat'
30            - '.chm'
31            - '.cmd'
32            - '.dll'
33            - '.exe'
34            - '.hta'
35            - '.htm'
36            - '.html'
37            - '.js'
38            - '.lnk'
39            - '.ps1'
40            - '.vbe'
41            - '.vbs'
42            - '.wsf'
43    condition: selection
44falsepositives:
45    - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.
46    - Occasional FPs might occur if OneNote is used internally to share different embedded documents
47level: high

References

• Hackers now use Microsoft OneNote attachments to spread malware

  

  Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.

  
  Read More

• Microsoft OneNote (.One File Extension) Attachment Delivers AsyncRAT | OSArmor Blog

  

  Users reported some malicious Microsoft OneNote documents in the past days that lead to AsyncRAT, a remote administration tool used to control and monitor

  
  Read More

• x.com

  
  Read More

• Detecting OneNote Abuse

  

  OneNote is a software part of the Office suite, commonly used within most organisations for note-keeping, task management and more. In the last year, OneNote gained more attention from a security perspective, mostly thanks to the research paper published by Emeric Nasi.

  
  Read More

• New Attacks, Old Tricks: How OneNote Malware is Evolving

  

  1    Analysis of OneNote Malware A lot of information has been circulating regarding the distribution of malware through OneNote, so I thought it would be fun to look at a sample. It turns out ther...

  
  Read More

• Analysis 52486a446dd4fc5842a47b57d3febec7.one.vir (MD5: 52486A446DD4FC5842A47B57D3FEBEC7) Suspicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

Related rules

• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity