OneNoteAnalyzer: analyzing malicious OneNote documents
A C# based tool for analyzing malicious OneNote documents
Recently we came across a few malicious OneNote Documents being distributed in the wild by various threat actors. This gave us the idea to develop “OneNoteAnalyzer” which would help in analysing such malicious OneNote documents without executing them. Now let’s take a look at the features that the tool offers.
After providing the file path of the Malicious OneNote document. The OneNoteAnalyzer extracts:
- Attachments from OneNote Document along with the Actual Attachment Path, Filename, and size
- Page MetaData from OneNote Document – Title, Author, CreationTime, LastModifiedTime
- Images from OneNote Document along with the HyperLink URLs if any
- Pagewise Text from OneNote Document
- Hyperlinks from OneNote Document along with the overlay text
- and Converts OneNote Documents to Image
In order to execute OneNoteAnalyzer against malicious OneNote Documents we provide the path of the OneNote Document as shown below.
Upon execution OneNoteAnalyzer extracts the Attachments from the OneNoteDocument in the “OneNoteAttachments” folder. Here the Actual Attachment path i.e the path from where the attachment was uploaded can be seen in the console along with the extracted filename and size of the attachment.
OneNote Attachments extracted in the OneNoteAttachments Folder:
Next, it extracts the Pagewise Metadata from the OneNote Document as shown below.
Then it also extracts all the images in the OneNote Document as shown below:
The extracted images are been saved in the OneNoteImages folder as shown below.
Further, the tool extracts Pagewise Text from the OneNote Document
and saves it in the OneNoteText Folder as shown in the screenshot below
Additionally, it extracts HyperLinks from OneNote Documents along with the overlay text as shown in the screenshot below.
The extracted Hyperlinks are stored in the OneNoteHyperLinks Folder – onenote_hyperlinks.txt
Finally, the tool converts the OneNoteDocument into an Image and saves it shown in the following manner.
Once the execution is completed the extracted data is been stored in an Export Directory “OneNoteFilename_content” in the current working directory as seen in the screenshot below
Copyright (c) 2023 neeraj