New Feature: Analyze OneNote Files with VMRay Sandbox

Mar 22nd 2023

Analyze OneNote Files 

with VMRay Sandbox


Table of Contents


As threat actors continue to evolve their tactics for distributing malware, we’ve been hard at work to stay on top of the latest trends to ensure VMRay platform can effectively analyze new file formats. One such attack trend that has gained popularity among threat actors is OneNote attachments. 

Microsoft OneNote is a free digital notebook application that comes with Microsoft Office/365 installations. Even if a user doesn’t use the application, the OneNote file format is still accessible, making it an attractive option for threat actors.

Brief look at the Post-macro threat landscape

One of the most common methods of malware distribution via email has been through malicious document attachments that launch macros to download and install malware onto the victim’s system. However, in July 2023, Microsoft finally disabled macros by default in Office documents, making this method unreliable for malware distribution. This was a significant blow to cyber criminals who had relied on this tactic for so long.

In the aftermath of Microsoft’s decision to disable macros by default in Office documents, threat actors wasted no time in searching for new file formats like ISO images and password-protected ZIP files. These formats quickly gained popularity due to a Windows bug that allowed ISOs to bypass security warnings and 7-Zip’s failure to propagate mark-of-the-web flags to files extracted from ZIP archives. 

However, the good news is that both 7-Zip and Windows have recently fixed these bugs, making it much harder for threat actors to distribute malware through these methods. Now, when a user tries to open downloaded ISO and ZIP files, Windows will display a frightening security warning, alerting users to the potential risks of opening the file.

Recent campaigns abusing OneNote

Recently, QBot’s operators have started using OneNote files that contain an embedded HTML application (HTA file) to retrieve the QBot malware payload. They employ two distribution methods for these HTA files, one of which hijacks existing email threads and sends a “reply-to-all” message with a malicious OneNote Notebook file as the attachment.

OneNote attachments delivered via Phishing Email Campaigns

To make these attacks even more deceptive, threat actors use a fake button in the Notebook file that supposedly downloads the document from the cloud. If clicked, it runs the embedded HTA attachment, which can install additional malware, steal passwords, or even cryptocurrency wallets.

As of April 2023, Microsoft will roll out new protection measures for malicious OneNote files when users open or download an embedded file in OneNote.

Stay Ahead of the Game with Deep Analysis of OneNote Files

By staying informed about the latest threats and ensuring our products can handle new file formats, we’re glad to help our customers stay one step ahead of the threat actors.

Built on VMRay Platform with over 30+ technologies, all VMRay products – DeepResponse, FinalVerdict, and TotalInsight– will have the capability to run analysis of OneNote files with the upcoming release in April 2023. This means that our customers can identify and analyze any potential threats in OneNote attachments and take appropriate action to protect their systems. 

Customers who integrated VMRay with their EDR or SOAR tools can also run automated playbooks to detonate OneNote files so that they can get definitive verdicts with deep analysis results. 


Stay current on the threat landscape with industry-leading insights.

See VMRay in action.
Solve your own challenges.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator