{
	"id": "876a6663-42fb-4607-8e43-25b0d98c2503",
	"created_at": "2026-04-06T00:10:48.637085Z",
	"updated_at": "2026-04-10T03:20:29.474649Z",
	"deleted_at": null,
	"sha1_hash": "7ae6ef92fb9481c78dc7b5f744032f4da5c82ffb",
	"title": "Qakbot Distributed via OneNote and CHM - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1282283,
	"plain_text": "Qakbot Distributed via OneNote and CHM - ASEC\r\nBy ATCP\r\nPublished: 2023-04-26 · Archived: 2026-04-05 19:17:59 UTC\r\nAhnLab Security Emergency response Center (ASEC) has covered various distribution methods of Qakbot, and\r\nthe method of distributing through OneNote was covered back in February. The distribution of Qakbot through\r\nOneNote has been confirmed again recently, and it was discovered that the Windows Help file (CHM) was used in\r\nthis recent attack. https://asec.ahnlab.com/en/47785/ Upon executing the OneNote file, it prompts users to click on\r\nthe Open button along with a Microsoft Azure image, as shown below. An ISO file is hidden inside the location of\r\nthis button, and once a user clicks the Open button, an ISO file is created in a temp folder and mounted. \r\nhttps://asec.ahnlab.com/en/52067/\r\nPage 1 of 4\n\nA CHM disguised as a README file exists inside the ISO, prompting users to open it. \r\nUpon executing the CHM file, a normal help screen regarding network connectivity is displayed, making it\r\ndifficult for the user to notice the malicious behavior. \r\nhttps://asec.ahnlab.com/en/52067/\r\nPage 2 of 4\n\nThe malicious script used without the user’s knowledge is shown below. A malicious and encoded PowerShell\r\ncommand is executed through CMD. This command is executed through the Click method used similarly by the\r\nexisting CHM malware. \r\nThe decoded PowerShell command is shown below. The command attempts to download additional malicious\r\nfiles from multiple URLs and save them to the %TEMP%\\antepredicamentPersecutory.tuners path. Seeing how it\r\nis executed through rundll32 afterward, it can be assumed that DLL files are downloaded. \r\nDownload URL hxxps://nayadofoundation[.]org/wXaKm/SQ2wfto2vosn hxxps://citytech-solutions[.]com/6Mh1k/OJMPf hxxps://zainco[.]net/OdOU/9IAsdunbnH\r\nhxxps://gsscorporationltd[.]com/okSfj/rAVykcQiX hxxps://mrcrizquna[.]com/L7ccN/kz5AeBZ6\r\nhxxps://hotellosmirtos[.]com/sjn/uhidwrQ9Hz hxxps://carladvogadatributaria[.]com/tvnq9/i8zBwKW\r\nhxxps://erg-eg[.]com/ocmb/xvjmmvS\r\nhttps://asec.ahnlab.com/en/52067/\r\nPage 3 of 4\n\nThis command is similar to the command used by the Qakbot that was distributed via PDF back in April. This\r\ndownload URL is currently unavailable, but internal and external infrastructures showed that the Qakbot binary\r\nhad been distributed from the URL when a connection could be made to it. https://asec.ahnlab.com/en/51282/\r\nRecently, the number of malware distribution cases using OneNote has been increasing, and threat actors have\r\nbeen using various formats of files for their attacks. Users must be careful when opening emails and OneNotes\r\nfrom unknown sources. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias\r\nbelow. [File Detection] Dropper/MSOffice.Generic (2023.04.24.03) Downloader/CHM.Generic (2023.04.24.03) \r\nMD5\r\n2ce926649092b4aa642ba6ed1fe0f191\r\ndffd7026f7508ae69c1b23ebd33ed615\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//carladvogadatributaria[.]com/tvnq9/i8zBwKW\r\nhttps[:]//citytech-solutions[.]com/6Mh1k/OJMPf\r\nhttps[:]//erg-eg[.]com/ocmb/xvjmmvS\r\nhttps[:]//gsscorporationltd[.]com/okSfj/rAVykcQiX\r\nhttps[:]//hotellosmirtos[.]com/sjn/uhidwrQ9Hz\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/52067/\r\nhttps://asec.ahnlab.com/en/52067/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/52067/"
	],
	"report_names": [
		"52067"
	],
	"threat_actors": [],
	"ts_created_at": 1775434248,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ae6ef92fb9481c78dc7b5f744032f4da5c82ffb.pdf",
		"text": "https://archive.orkl.eu/7ae6ef92fb9481c78dc7b5f744032f4da5c82ffb.txt",
		"img": "https://archive.orkl.eu/7ae6ef92fb9481c78dc7b5f744032f4da5c82ffb.jpg"
	}
}