This malicious OneNote document contains two obfuscated batch scripts and we’ll be using our commercial Simple Batch Emulator package to understand what they do.
SHA256: 46149F56028829246628FFAFC58DF81A4B0FF1C87ED6466492E25AD2F23C0A13
Continue reading “Obfuscated Batch Scripts in OneNote Document”
We recently stumbled upon this tweet by @Cryptolaemus1 about a malicious OneNote document with an embedded ISO file. Because of our recently released ISO Format package, we thought it would be interesting to analyze this malware sample with Cerbero Suite.
SHA256: 2B0B2A15F00C6EED533C70E89001248A0F2BA6FAE5102E1443D7451A59023516
The unidentified embedded object in the OneNote document is an ISO file.
An interesting sample containing a number of different obfuscation techniques. In this article we analyze the dropper in detail and reach the final stage.
SHA256: 0B93B5287841CEF2C6B2F2C3221C59FFD61BF772CD0D8B2BDAB9DADEB570C7A6
The first file we encounter is a OneNote document. If the “OneNote Format” package is installed, all files are automatically extracted.
The malicious OneNote sample analyzed in this video contains an executable. The executable contains a CAB archive in a resource entry. The CAB archive contains a VBS script which can directly be inspected in Cerbero Suite.
SHA256: F408EF3FA89546483BA63F58BE3F27A98795655EB4B9B6217CBE302A5BA9D5F7
