I have download the challenge from letsdefend and put it on my sansforensics machine. Don’t execute the pdf files in your machine. Its malicious.
Challenge link: https://app.letsdefend.io/challenge/pdf-analysis
Note: I will be telling you the answers here. But that does not mean you will not try it by yourself. So please try to do it by your own. Remember, The more you get your hands dirty, the more you will learn.
First I checked what file type it actually is. So I used file command for that.
Then I used strings command to see any readable interesting texts. But it actually gives everything.
Going down a bit, I found this powershell encoded base64 code. Cyberchef is a great tool for decoding such encoded code.
After decoding, we found a reverse output. Cyberchef has a reverse recipe to reverse any texts. Let’s use that.
From the above reversed line of texts, we got the following 3 answers.
Now to answers the following other questions, we need to move on.
After deobfuscation, you shall answer the following 3 questions easily.
Lets move to the next part.
This is powershell obfuscated code. I also have a writeup on this. Please check from the below link.
How to analyze powershell obfuscated code, Part-1
Nowadays its very much certain that you will get obfuscated type of powershell code while analyzing any APT behavior or…
We need to execute the scripts one by one to get the final output. You can execute the above powershell code in your vm but before that take a snapshot is wise so that you can always revert back when you are done. If you don’t want to do that, then visit the below link. From here you can execute powershell commands and see the output.
Try It Online
TIO is a family of online interpreters for an evergrowing list of practical and recreational programming languages. To…
Paste all the code one by one. Then click on play button.
Now time to answer the rest of the questions.
You can go to ipinfo.io or iplocation.io site to find out the localtion of the ip address.
I hope you will learn something new from here.
Thanks. Please Subscribe below.