Overview
With our latest release, VMRay Platform version 2023.2, we introduced support for Microsoft OneNote documents, recently abused by multiple threat actors. As announced in a recent blog post , the VMRay Platform continuously extends its capabilities to ensure our product is still able to deal with the the latest trends used by threat actors.
In this blog post, we take a look at a malicious OneNote document that has been observed to deliver Emotet, one of the most infamous loaders acting as an entry point for further attacks. This shows how the VMRay Platform adds additional security measurements to protect businesses and their assets from such attacks.
The Initial Infection Vector
Malicious documents that are part of the initial infection vector are typically distributed as email attachments. VMRay Platform provides the technology to analyze the whole delivery chain, starting from the email itself, but for this spotlight, we will skip the email and directly take a look at the attached OneNote document.
As shown in Figure 1, the sample contains an image telling the viewer that the content is protected. This resembles prior attacks where attacker-crafted images masquerade as a message delivery by the application.
The goal is simple: behind the fake “View” button hides a malicious script that is waiting to be executed by a simple double-click, so the misleading description is trying to trick the user into performing this action. While previous delivery chains based on other Microsoft Office applications, such as Microsoft Word or Excel, had to convince a user to enable macros by clicking on a real button provided by the application, attacks based on OneNote hide their scripts behind a button-like picture.
One can actually look behind the curtain and understand how this malicious document was crafted by hovering over the fake button: OneNote let us know that a hidden Windows Script File (WSF) is located here (see Figure 2, left), a popular script format used to deliver malware.
This becomes more obvious when we move the whole image and reveal the malicious script file that is hiding in the background (see Figure 2, right), waiting to be activated by a double click. This is a valid functionality provided by OneNote to add attachments to the document.
An attacker can just use drag and drop to implant the malicious script file to the notebook which then just appears with its icon. The background image is then used to hide the file as well as provide fake instruction on how to open the document.
With the recent release to version 2023.2, VMRay Platform now allows deep analysis of OneNote-based delivery methods. This is directly visible when trying to upload the file either via console, or via API as the filetype is recognized as a OneNote document (see Figure 3).
As soon as the submit button is pressed, VMRay schedules the job and kicks off its static file analysis for the document, revealing its malicious indicators.
The static analysis performed by the VMRay Platform inspects the submitted document and extracts the embedded files, if any. Depending on the type of the extracted file, which in this case is a Windows Script File (WSF), it will be automatically submitted recursively for a dynamic analysis.
This is similar to how OneNote itself handles embedded files: they are dropped into a temporary directory, and Windows executes them based on their default file extension handlers. Besides improving the performance, this allows us to skip the additional overhead of monitoring OneNote itself.
In addition to a malicious verdict based on our YARA rules and a reputation lookup, the embedded scripts automatically triggered a recursive submission for a behavior-based analysis. The recursively submitted attachment also shows a malicious verdict based on the dynamic analysis that contributes to the verdict of the parent sample, as shown in Figure 4.
The Execution of the final Payload
The goal of the recursively submitted script is to download and execute the final stage payload. In our example, the script communicates with its C2 servers to get a copy of Emotet which is then executed on the infected system.
Besides Emotet, we have also seen other malware families, such as QBot, IcedID, AsyncRAT among others, being delivered via OneNote documents, emphasizing the importance of OneNote support for sandboxes.
The dynamic analysis of the recursively submitted script reveals its actual malicious behavior as it provides deep insights into the steps executed by the script. Looking at VMRay’s Threat Identifiers (VTIs) shown in Figure 5, we can see that the script opened a network connection to its C2 server for downloading the payload.
Furthermore, it is also visible that the downloaded DLL has been loaded and executed on the system. Finally, the payload has been detected via YARA rules within the process memory, and due to VMRay’s malware configuration extraction feature, Emotet’s configuration has been extracted. This produces high-quality IOCs that can be further processed and used for hunting as well as proactively setting countermeasures.
Conclusion
VMRay continuously extends its set of features to provide capabilities for analyzing the latest threats.
As shown in this blog post, our most recent upgrade adds support to fully analyze OneNote documents in depth revealing potential malicious files that target businesses. The extensive and detailed information provided by VMRay’s analysis reports as well as the generated high-quality IOCs can be used to improve the security against such attacks.
IOCs
Hashes:
Sample
ae2241765c1dc4e2cadf5c59592e2fbcc328b2b800846fd77f496da2737717ba
Extracted Script
11b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56
Patrick Staubmann
Threat Researcher