Microsoft OneNote is rising in popularity as a vector for malware. Therefore, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store which parses the OneNote format and extracts embedded files.

Installing the package from Cerbero Store takes only a few mouse clicks.

Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected

In this image an executable is extracted from the OneNote malware. The executable contains a CAB archive in a resource entry. The CAB archive contains a VBS script which can directly be inspected.

The OneNote package can also be used programmatically.

from Pro.Core import *
from Pkg.OneNote.Core import OneNoteObject

def parseOneNoteDocument(fname):
    c = createContainerFromFile(fname)
    if c.isNull():
        return
    obj = OneNoteObject()
    if not obj.Load(c):
        return
    files = obj.GetEmbeddedFiles()
    for file in files:
        print("offset:", hex(file[0]), "size:", hex(file[1]))