Microsoft OneNote files are widely used to deliver malware payloads

February 14, 2023

There is a never ending run between the threat actors and the security software. The malware authors always look for techniques which can penetrate the active security defenses to get access of victim’s machine and one of the way is, to switch among low profile file types to carry the malicious payload. The malware authors are now using OneNote files which were rarely used for malicious purpose in the past. For the last few weeks, SonicWall RDTMI has been detecting a spike of malicious OneNote files that are being delivered to the victim’s machine as email attachments. SonicWall threat research team observed that the OneNote files are delivering AgentTesla, AysncRAT and QakBot malware. Threat actors are attaching HTML Application (HTA) files, batch files and Portable Executable (PE) files into the OneNote pages and hide the attached files behind an image. The image displays a message to lure the victim to click on them (contains a hidden attachment) which then triggers the malware execution:

Case 1 (Payload: AgentTesla)

Threat actor attaches malicious HTML Application (HTA) file into the OneNote page and duplicates the attachment references, to wider the user click area to access the attachment. The attachments are hidden by overlapping two images, first image is a blurred image which further overlapped by another image which asks user to “View Document”. Once user clicks on the image it will trigger the execution of hidden HTA file:

The HTA file executes two PowerShell instances, one instance to show some image from the web and other instance to download and execute AgentTesla malware on the victim’s machine:


The blurred HSBC document from the web is displayed, to mislead the user while performing the malicious activity in the background:


The second PowerShell instance starts execution of the downloaded executable in the background which further executes VBScript file and injects the AgentTesla payload into RegSvcs.exe which exfiltrates and sends the user data to its telegram hosted Command and Control (C2) server h[t][t]ps://



Case 2 (Payload: AsyncRAT)

Threat actor attaches an obfuscated batch file into the OneNote page. The batch attachment is hidden behind the image which asks user “Click to view document”. The file contains background image of displaying text DHL WORLDWIDE EXPRESS to pretending itself as a delivery document:


The Batch file is obfuscated which drops the PowerShell executable into OneNote temp folder with name “invoice.bat.exe” and executes a PowerShell script using the dropped PowerShell executable:



The PowerShell script reads data from the batch file and decrypts it. The decrypted data is decompressed to get the AsyncRAT executable file which is then executed:


The AsyncRAT is widely know malware and its source code is available on the GitHub:


In one of the AsyncRAT delivering variant, we have seen the OneNote page is attached with an executable file which further drops a bat file to continue execution, which results in executing AsyncRAT on the victim’s machine:


Case 3 (Payload: QakBot)

Threat actor attaches a batch commands file into the OneNote page. The attached file is hidden behind the image which asks user “Open”. The OneNote page also contains image displaying text “This document contains attachments from the cloud, to receive them, double click “open”:

The batch commands file executes PowerShell cmdlet which drops and executes another batch file into C:\Users\Public\aSUNY81.cmd and passes two arguments:


The dropped script downloads the QakBot payload from the URL h[t][t]ps:// which is provided as second argument. The QakBot Dynamic Link Library (DLL) is executed by calling the export function Wind:


The QakBot injects the malicious payload into iexplorer.exe using process injection. QakBot binary uses tradition method for injecting the payload which involves opening the iexplorer.exe in suspended mode using CreateProcess API, then allocating memory into the iexplorer.exe and writing the payload data into it. After injecting code, mostly malware changes the Instruction Pointer (EIP) to the injected code using SetThreadContext API but QakBot modifies the bytes at EIP which jumps to the injected code:



SHA256 OneNote files:





SHA256 PE files:






Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:


Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file: