OneNoteAnalyzer

A C# based tool for analyzing malicious OneNote documents

Description

Recently we came across few malicious OneNote Documents been distributed in-the-wild by various threat actors. This gave us an idea to develop "OneNoteAnalyzer" which would help in analysing such malicious OneNote documents without executing them. Now lets take a look at the features that the tool offers.

Features

After providing the file path of the Malicious OneNote document. The OneNoteAnalyzer extracts:

• Attachments from OneNote Document along with the Actual Attachment Path, Filename and size
• Page MetaData from OneNote Document - Title, Author, CreationTime, LastModifiedTime
• Images from OneNote Document along with the HyperLink URLs if any
• Pagewise Text from OneNote Document
• HyperLinks from OneNote Document along with the overlay text
• Converts OneNote Document to Image
• Parses Password Protected OneNote Documents NEW

Usage

Demonstration

In order to execute OneNoteAnalyzer against malicious OneNote Documents we provide the path of the OneNote Document as shown below.

Upon execution OneNoteAnalyzer extracts the Attachments from the OneNoteDocument in the "OneNoteAttachments" folder. Here the Actual Attachment path i.e the path from where the attachment was been uploaded can be seen in the console along with the extracted filename and size of the attachment.

OneNote Attachments extracted in the OneNoteAttachments Folder:

Next it extracts the Pagewise Metadata from the OneNote Document as shown below.

Then it also extracts all the images in the OneNote Document as shown below:

The extracted images are been saved in the OneNoteImages folder as shown below.

Further the tool extracts Pagewise Text from the OneNote Document

and saves it in the OneNoteText Folder as shown in the screenshot below

Addtionally it extracts HyperLinks from OneNote Document along with the overlay text as shown in the screenshot below.

The extracted Hyperlinks are stored in the OneNoteHyperLinks Folder - onenote_hyperlinks.txt

Finally the tool converts the OneNoteDocument into an Image and saves it shown in the following manner.

Saved Image-1:

Saved Image-2:

Once the execution is completed the extracted data is been stored in an Export Directory "OneNoteFilename_content" in the current working directory as seen in the screenshot below

Setup Information

• Copy "Program.cs" in Visual Studio
• Install "Aspose.Note 18.1.0" from Nuget Packages
• Build the project!

Updates

• Added Export Directory where all the extracted data from the OneNote Document is been dumped (Compiled binary can be downloaded from Releases)
• Fixed extraction issues with Multiple Attachments & Images with identical filename
• FileCorruptedException Handling
• Supports Password Protected OneNote Documents - Modified by 0xToxin
  • For more info & code -> Repo directory: OneNoteAnalyzer-withPass
  • Compiled Binary in Releases

References

https://docs.aspose.com/note/net

Thankyou! =)