OneNote: A Growing Threat for Malware Distribution
Tags
cmtmf-attack-pattern: Application Layer Protocol Command And Scripting Interpreter Obfuscated Files Or Information
maec-delivery-vectors: Watering Hole
attack-pattern: Data Application Layer Protocol - T1437 Command And Scripting Interpreter - T1623 Exploits - T1587.004 Exploits - T1588.005 File Deletion - T1070.004 File Deletion - T1630.002 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Rundll32 - T1218.011 Software - T1592.002 Tool - T1588.002 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 File Deletion - T1107 Modify Registry - T1112 Mshta - T1170 Standard Non-Application Layer Protocol - T1095 Obfuscated Files Or Information - T1027 Powershell - T1086 Rundll32 - T1085 Signed Binary Proxy Execution - T1218 Windows Management Instrumentation - T1047 User Execution - T1204 User Execution
Show in Graph
Common Information
Type Value
UUID 3b05cf4e-8f5e-4595-8dc5-3350ccfa608f
Fingerprint 8c8f1f19af3e0f11
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 18, 2023, midnight
Added to db Nov. 20, 2023, 12:20 a.m.
Last updated Nov. 17, 2024, 6:53 p.m.
Headline Zscaler Blog
Title OneNote: A Growing Threat for Malware Distribution
Detected Hints/Tags/Attributes 92/3/51
Source URLs
Redirection Url
Details Source https://securityboulevard.com/2023/03/onenote-a-growing-threat-for-malware-distribution/
Details Source https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
URL Provider
Details Provider Source level domain
Details securityboulevard.com securityboulevard.com
Details zscaler.com www.zscaler.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 163 https://media.cert.europa.eu/rss?type=category&id=Malware&language=en&duplicates=false 2024-08-30 22:08
Details 406 Security Research | Blog Category Feed https://www.zscaler.com/blogs/feeds/security-research 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1 
paymentadv.one
Details Domain 1 
february-03.one
Details Domain 9 
onedump.py
Details Domain 1 
oiartzunirratia.eus
Details Domain 2 
helthbrotthersg.com
Details Domain 71 
transfer.sh
Details Domain 3 
ehonlionetodo.com
Details Domain 1 
thefirstupd.com
Details Domain 4 
myvigyan.com
Details Domain 4 
starcomputadoras.com
Details Domain 1 
somosnutrisalud.cl
Details Domain 1 
wi-protect.com
Details File 1 
zoo1.bat
Details File 31 
invoice.pdf
Details File 9 
onedump.py
Details File 1 
lcovlccdxd.exe
Details File 2 
view.png
Details File 1 
36.ps1
Details File 1 
360702.dll
Details File 2 
300123.gif
Details File 3 
01.gif
Details File 1 
payroll.exe
Details File 1 
eulsm.exe
Details md5 1 
e9f0dbbd19ef972dd2fc163a4b34eae1
Details md5 1 
19905a73840430e28c484b97546225c6
Details md5 1 
146f4f1c9b29e7505f275772378bfec9
Details md5 1 
1d9aa7c9aa3f8dc9dd58a38176ea36fe
Details md5 1 
5139af509129641b1d29edd19c436b54
Details md5 1 
6b1e64957316e65198e3a1f747402bd6
Details md5 1 
6b500ad29c39f72cd77c150a47df64ea
Details md5 1 
4c6a40f40dcd0af8d5c41d0fcc8e4521
Details md5 1 
3c7c265f618912d81856bf460bf19f61
Details md5 1 
fa49fd13fc49ab38b97d2d019cc04b39
Details md5 1 
973e87ec99502aac9a12f987748a812a
Details md5 1 
39f3c510f46d605202844e35c07db84b
Details md5 1 
558da264c83bfe58c1fc56171c90c093
Details md5 1 
C6ba1a7b2b90e18b6c25382453370169
Details md5 1 
d3713110654dc546bd5edc306a6e7efd
Details IPv4 1 
194.26.192.248
Details IPv4 1 
167.172.154.189
Details Url 1 
https://oiartzunirratia.eus/install/clean/lcovlccdxd.exe
Details Url 2 
http://helthbrotthersg.com/view.png
Details Url 1 
https://transfer.sh/get/vpihmi/invoice.pdf
Details Url 1 
http://ehonlionetodo.com
Details Url 1 
http://167.172.154.189/36.ps1
Details Url 1 
http://167.172.154.189/360702.dll
Details Url 1 
https://thefirstupd.com
Details Url 1 
https://myvigyan.com/m1ypt/300123.gif
Details Url 3 
https://starcomputadoras.com/lt2elm6/01.gif
Details Url 1 
https://somosnutrisalud.cl/installs/clean/payroll.exe
Details Url 1 
https://wi-protect.com/install/eulsm.exe