{
	"id": "1c3d2e2a-e240-473e-a8ac-63c068e160ce",
	"created_at": "2026-04-06T00:08:40.182722Z",
	"updated_at": "2026-04-10T13:12:46.732022Z",
	"deleted_at": null,
	"sha1_hash": "11201d43be52f93b82d7bf31853f86de7f7732a8",
	"title": "Qakbot Being Distributed via OneNote - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1093600,
	"plain_text": "Qakbot Being Distributed via OneNote - ASEC\r\nBy ATCP\r\nPublished: 2023-02-15 · Archived: 2026-04-05 16:49:17 UTC\r\nBack in January, AhnLab ASEC published an analysis report on a malware strain that was being distributed\r\nthrough Microsoft (MS) OneNote.\r\nAs mentioned in the report, there has recently been an increasing number of cases where commodity malware like\r\nQakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to\r\nexecute their malware.\r\nhttps://asec.ahnlab.com/en/47785/\r\nPage 1 of 7\n\nFigure 1. Distribution trend of malicious OneNote files in 2022\r\nIf you look at the Qakbot distribution via OneNote case that happened on February 1st, the threat actor distributed\r\nthe OneNote malware as an attachment to an Outlook email as shown in Figure 2.\r\nhttps://asec.ahnlab.com/en/47785/\r\nPage 2 of 7\n\nFigure 2. OneNote malware attached to an Outlook email (ComplaintCopy_44974(Feb01).one)\r\nWhen users open the attachment, it prompts them to click the “Open” button like in the typical MS Office Macro\r\nmalware. As shown in Figure 3, however, there is actually a hidden HTA (HTML Application) object near the\r\n“Open” button. Thus, users are led to believe they had clicked the “Open” button when they had actually executed\r\nthe HTA object.\r\nhttps://asec.ahnlab.com/en/47785/\r\nPage 3 of 7\n\nFigure 3. Malicious HTA object (Open.hta) embedded in OneNote\r\nWhen a user clicks the “Open” button, the HTA file attached as an object to the OneNote is generated in a\r\ntemporary path. Afterward, the mshta process, which is an HTA extension connection program, is used to\r\nultimately execute the malicious HTA file. A malicious VBS code is included within the HTA and Qakbot is\r\ndownloaded through curl, a normal Windows utility. Finally, Qakbot is executed by rundll32.exe.\r\nOUTLOOK.EXE -\u003e ONENOTE.EXE -\u003e ONENOTEM.EXE -\u003emshta.exe -\u003e curl.exe -\u003e rundll32.exe\r\nFigure 4. Process tree diagram displayed on AhnLab EDR analysis screen\r\nAhnLab EDR (Endpoint Detection and Response) records and detects the behavior information of OneNote\r\nformat malware threats. Therefore, EDR managers can check if their company’s infrastructure is at risk of\r\nOneNote related malware by performing an EDR history search.\r\nHow to check for OneNote threat logs: Event -\u003e EDR Behavior -\u003e Define Period -\u003e Search for EDR\r\nthreats (ONENOTE.EXE)\r\nFigure 5. Checking the EDR behavior log (ONENOTE.EXE creates the Open.hta file)\r\nThe Open.hta file that can be seen in Detection Target is the actual malicious script.\r\nFigure 6. Open.hta file path\r\nThe following is the OneNote threat information that can be checked on the AhnLab EDR analysis screen.\r\nhttps://asec.ahnlab.com/en/47785/\r\nPage 4 of 7\n\n[MITRE ATT\u0026CK Information]\r\nFigure 7. MITRE ATT\u0026CK information (Detected on initial infiltration through spear phishing\r\nattachment)\r\n[File, Registry, Process, and Network-Related Artifact Information]\r\nhttps://asec.ahnlab.com/en/47785/\r\nPage 5 of 7\n\nFigure 8. Artifact information\r\nIn this OneNote malware case, the HTA file that is an object within the OneNote is what performs the actual\r\nmalicious behavior. Therefore, EDR managers can check the information related to the threat file, like the\r\ninformation shown in Figure 6, to learn where an HTA file was created and use the information to collect\r\nevidential files.\r\nThere is a case where Qakbot ultimately infected an organization with ransomware after infiltrating their system\r\nand carrying out lateral movement, so it is advised to quarantine a PC’s network first if Qakbot is detected early\r\non in order to prevent further harm.\r\n[Network Quarantine Method Using EDR]\r\nhttps://asec.ahnlab.com/en/47785/\r\nPage 6 of 7\n\nFigure 9. Agent response using EDR\r\nAhnLab V3 and EDR products detect this OneNote threat with the aliases below.\r\n[File Detection]\r\nDownloader/HTA.Generic.S2106 (2023.02.03.03)\r\n[Behavior Detection]\r\nInitialAccess/EDR.OneNote.M10837\r\nExecution/EDR.Curl.M10842\r\n[IOC]\r\nMSG : 8b46417297995d5a9a705b54303ace30\r\nHTA : bc6e2129bbd64375c9254fbd17ab5f14\r\nC\u0026C : hxxp://139.99.117.17/31828.dat\r\nThe MITRE ATT\u0026CK mapping of the Qakbot that was distributed via OneNote is as follows.\r\nT1566.002 Phishing: Spearphishing Link, Sub-technique\r\nT1218.005 System Binary Proxy Execution: Mshta\r\nT1218.011 System Binary Proxy Execution: Rundll32\r\nT1105 Ingress Tool Transfer\r\nSubscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC\r\nand detailed analysis information.\r\nSource: https://asec.ahnlab.com/en/47785/\r\nhttps://asec.ahnlab.com/en/47785/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/47785/"
	],
	"report_names": [
		"47785"
	],
	"threat_actors": [],
	"ts_created_at": 1775434120,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11201d43be52f93b82d7bf31853f86de7f7732a8.pdf",
		"text": "https://archive.orkl.eu/11201d43be52f93b82d7bf31853f86de7f7732a8.txt",
		"img": "https://archive.orkl.eu/11201d43be52f93b82d7bf31853f86de7f7732a8.jpg"
	}
}