OneNoteAnalyzer: analyzing malicious OneNote documents

by do son ·

analyzing malicious OneNote

OneNoteAnalyzer

A C# based tool for analyzing malicious OneNote documents

Description

Recently we came across a few malicious OneNote Documents being distributed in the wild by various threat actors. This gave us the idea to develop “OneNoteAnalyzer” which would help in analysing such malicious OneNote documents without executing them. Now let’s take a look at the features that the tool offers.

Features

After providing the file path of the Malicious OneNote document. The OneNoteAnalyzer extracts:

  • Attachments from OneNote Document along with the Actual Attachment Path, Filename, and size
  • Page MetaData from OneNote Document – Title, Author, CreationTime, LastModifiedTime
  • Images from OneNote Document along with the HyperLink URLs if any
  • Pagewise Text from OneNote Document
  • Hyperlinks from OneNote Document along with the overlay text
  • and Converts OneNote Documents to Image

Demonstration

In order to execute OneNoteAnalyzer against malicious OneNote Documents we provide the path of the OneNote Document as shown below.

Upon execution OneNoteAnalyzer extracts the Attachments from the OneNoteDocument in the “OneNoteAttachments” folder. Here the Actual Attachment path i.e the path from where the attachment was uploaded can be seen in the console along with the extracted filename and size of the attachment.

OneNote Attachments extracted in the OneNoteAttachments Folder:

Next, it extracts the Pagewise Metadata from the OneNote Document as shown below.

Then it also extracts all the images in the OneNote Document as shown below:

The extracted images are been saved in the OneNoteImages folder as shown below.

Further, the tool extracts Pagewise Text from the OneNote Document

and saves it in the OneNoteText Folder as shown in the screenshot below

Additionally, it extracts HyperLinks from OneNote Documents along with the overlay text as shown in the screenshot below.

The extracted Hyperlinks are stored in the OneNoteHyperLinks Folder – onenote_hyperlinks.txt

Finally, the tool converts the OneNoteDocument into an Image and saves it shown in the following manner.

Saved Image-1:

Saved Image-2:

Once the execution is completed the extracted data is been stored in an Export Directory “OneNoteFilename_content” in the current working directory as seen in the screenshot below

Install

Copyright (c) 2023 neeraj

Tags: analyzing malicious OneNote