{
	"id": "f933012b-fd91-447f-ac94-ad5c4e5276e2",
	"created_at": "2026-04-06T00:14:49.77589Z",
	"updated_at": "2026-04-10T13:11:51.055706Z",
	"deleted_at": null,
	"sha1_hash": "5f7171abec35459c94572648af8628190b9c973e",
	"title": "OneNote | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2199251,
	"plain_text": "OneNote | ThreatLabz\r\nBy Meghraj Nandanwar, Shatak Jain\r\nPublished: 2023-03-01 · Archived: 2026-04-05 16:36:05 UTC\r\nCase Study-1:  RAT\r\nStarting in December 2022, attackers have been using OneNote files to distribute Remote Access Trojans (RAT)\r\nsuch as AsyncRAT, Quasar RAT, NetWire, and Xworm. These RATs use complex obfuscation techniques with\r\nOneNote files in order to evade detection by security software.\r\nDuring the course of the investigation, researchers found the file containing the malicious payload disguised under\r\nthe misleading name \"PaymentAdv.one\".\r\nFig.2 - OneNote phishing document\r\nAfter analyzing the file with OneNoteAnalyzer, researchers uncovered that the attack was carried out by dropping\r\nand executing a batch file called \"zoo1.bat\".\r\nhttps://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\r\nPage 1 of 4\n\nFig.3 - Malicious files extracted from OneNote document\r\nThe batch file was obfuscated and contained an encrypted blob at the start, followed by heavily obfuscated\r\nPowerShell code.\r\nFig.4 - Obfuscated batch file\r\nBy removing the \"@echo off\" line and adding \"echo\" to the start of each line in the batch file, researchers were\r\nable to decode the file's activities and log the output as shown in the screenshot below.\r\nFig.5 - Commands executed by “zoo1.bat.exe”\r\nhttps://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\r\nPage 2 of 4\n\nThe log indicated that the batch file had copied and disguised the malicious program as \"zoo1.bat.exe\" in an\r\nattempt to hide its activities. \r\nThe Powershell code associated with it was obfuscated and difficult to comprehend, so researchers manually\r\npretty print to deobfuscate and reformat the file, making it more readable as demonstrated in the screenshot below.\r\nFig.6 - Obfuscated Powershell code in readable format\r\nAfter deobfuscation, researchers discovered that the script used base64 encoding to split the encrypted blob seen\r\nin the initial batch file into its actual data, AES key, and index using the backslash character. With these values, the\r\nscript was able to decrypt the data and decode it using gzip encoding to reveal the final executable.\r\nFig.7 - AES Key and IV identified in the blob\r\nNow lets the cook the above recipe using Cyberchef and check what does it results:\r\nhttps://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\r\nPage 3 of 4\n\nFig.8 - Decrypted payload extracted using CyberChef\r\nSimilarly we can decode the second blob which will also result in a Portable Executable (PE) file.\r\nFig.9 - AgileDotNet Packed AsyncRAT Payload\r\nThe resulting file is a .NET File packed with AgileDotNet, which was revealed to contain a malicious AsyncRAT\r\npayload after deobfuscating and unpacking with the .NET Kali Linux tool known as de4dot.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\r\nhttps://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution"
	],
	"report_names": [
		"onenote-growing-threat-malware-distribution"
	],
	"threat_actors": [],
	"ts_created_at": 1775434489,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f7171abec35459c94572648af8628190b9c973e.pdf",
		"text": "https://archive.orkl.eu/5f7171abec35459c94572648af8628190b9c973e.txt",
		"img": "https://archive.orkl.eu/5f7171abec35459c94572648af8628190b9c973e.jpg"
	}
}