rule SUSP_Email_Suspicious_OneNote_Attachment_Jan23_1 { meta: description = "Detects suspicious OneNote attachment that embeds suspicious payload, e.g. an executable (FPs possible if the PE is attached separately)" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2023-01-27" score = 65 id = "492b74c2-3b81-5dff-9244-8528565338c6" strings: /* OneNote FileDataStoreObject GUID https://blog.didierstevens.com/ */ $ge1 = "5xbjvWUmEUWkxI1NC3qer" $ge2 = "cW471lJhFFpMSNTQt6nq" $ge3 = "nFuO9ZSYRRaTEjU0Lep6s" /* PE file DOS header */ $sp1 = "VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZG" $sp2 = "RoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2Rl" $sp3 = "UaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZ" $sp4 = "VGhpcyBwcm9ncmFtIG11c3QgYmUgcnVuIHVuZGVy" $sp5 = "RoaXMgcHJvZ3JhbSBtdXN0IGJlIHJ1biB1bmRlc" $sp6 = "UaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZX" /* @echo off */ $se1 = "QGVjaG8gb2Zm" $se2 = "BlY2hvIG9mZ" $se3 = "AZWNobyBvZm" /*