Blue Team Labs Online — Suspicious USB Stick Challenge Walkthrough
Investigating a suspicious USB drive with pdfid.py, pdf-parser.py, and VirusTotal
Introduction:
Welcome to my weekly walkthrough! This week, we’re diving into a hands-on DFIR challenge, Suspicious USB Stick, from Blue Team Labs Online. This investigation involves analyzing the titular suspicious USB drive which may have played a role in a recent, fictitious data breach. What’s our objective? To check the contents of the device to uncover any indicators of malicious activity. If this topic sounds cool to you, you’ve stumbled on the right blog!
To do this, we’ll start by examining the drive’s Autorun.inf file, a common vector for malware propagation. What exactly is this file doing, and what role did it play in the breach? Next, we’ll turn our attention to a suspicious PDF file also found on the USB stick. Using tools like VirusTotal, Didier Stevens’ pdfid.py, and pdf-parser.py, we’ll determine if this PDF is malicious, identify the operating systems it targets, and extract embedded commands.
If you find this walkthrough helpful in leveling up your skills or getting you through a tricky question, give it a clap! Your feedback helps me improve and continue supporting your security journey. Thanks for reading!
Challenge Link: https://blueteamlabs.online/home/challenge/suspicious-usb-stick-2f18a6b124
Challenge Scenario:
One of our clients informed us they recently suffered an employee data breach. As a startup company, they had a constrained budget allocated for security and employee training. I visited them and spoke with the relevant stakeholders. I also collected some suspicious emails and a USB drive an employee found on their premises. While I am analyzing the suspicious emails, can you check the contents on the USB drive?
Reading Material:
https://zeltser.com/analyzing-malicious-documents/
https://en.wikipedia.org/wiki/List_of_file_signatures
https://eternal-todo.com/tools/peepdf-pdf-analysis-tool.
Setup the REMnux Analysis Environment & Extract the challenge file:
Safety first! It’s always important when working with lab/challenge files from Blue Team Labs Online (or any educational lab/challenge/range) to keep yourself protected by performing these tasks in a dedicated, isolated virtual machine environment. For example, I’m using REMnux for this challenge and walkthrough.
To keep this write-up focused I’m going to skip the step-by-step setup of REMnux. If you’d like to set up your own REMnux environment, please follow the directions provided by REMnux directly. For reference, I opted for the virtual appliance method:
Okay! Now that we have our virtual environment created, updated, isolated, and snapshotted, we can extract the challenge file and start the investigation!
Question 1: What file is the autorun.inf running?
Okay, let’s get started!
Inside of our analysis environment, we’ll unzip the challenge file and the second archive file (USB.zip) within it. Now inside of the USB.zip archive, we have two files to focus on:
- autorun.info
2. README.pdf.
To answer Question 1, let’s first focus on autorun.inf, but before we look at the file, let’s get some quick background on what autorun.inf does exactly.
According to Trend Micro, the autorun.inf file is placed in the root directory of a storage drive and is used to automatically launch programs from storage and media drives. In older versions of Windows this feature could be abused to automatically execute malware when an infected drive was accessed.
So now that we understand what this text file can do, let’s open it up in a text editor to see what is going on. For this example, I‘ll use nano within my REMnux environment.
We can see that the autorun open action is set to launch the README.pdf file.
Question 2: Does the pdf file pass virustotal scan? (No malicious results returned)
Now let’s turn our attention to README.pdf and determine what the PDF file is and if it’s malicious or not.
To do this, we’ll start by checking VirusTotal for any previous hits for this file. As a first step, let’s calculate the SHA256 hash of the PDF directly from the terminal by using the below command:
sha256sum README.pdfThen, copy the file hash and search VirusTotal.
Right away we’ll see a large number of detections which provide to us a high degree of confidence that the file is malicious and does not “pass” a scan.
Question 3: Does the file have the correct magic number?
To answer Question 3, I’ll lean on the Wikipedia page linked in the challenge to best explain what this question is looking for.
According to Wikipedia:
This is a list of file signatures, data used to identify or verify the content of a file. Such signatures are also known as magic numbers or Magic Bytes.
Let’s look for the PDF document type in the list to make this a bit easier to understand.
In the image above, we’re given that the hex signature of a PDF is 25 50 44 46 2D which converts to the ASCII %PDF-
So, to put this into context, we can use the magic number/bytes to determine if the malicious sample is a “real” PDF file or something like an executable masquerading as a PDF file. But how do we get the magic number from the malicious file to verify it? Well, there are a several ways but let’s keep it simple and try two ways for this walkthrough.
The first method is to leverage the work we’ve already done and simply use the existing VirusTotal search. Navigate to the Details tab > Basic properties > Magic to confirm that the file is indeed a PDF file and not some other file type.
The second simple method is to utilize a tool like Didier Stevens’ pdfid.py to do some triage of the PDF file. When pdfid.py runs, one of the items it checks for is a valid %PDF header — if it doesn’t have one, the tool will let you know. For example, if we run it on the autorun.inf file:
So now, let’s try it with README.pdf and see what it tells us…
pdfid.py README.pdf
There we go! Comparing this header to the information from the Wikipedia File Signature page, we see that it matches and double-confirms that the file is a PDF.
Question 4: What OS type can the file exploit? (Linux, MacOS, Windows, etc)
To answer Question 4, we’re looking for which operating system can be exploited by this file. Since we’re already on VirusTotal, let’s see what other information we can discover about the PDF.
Let’s check out the Behaviors tab where we’ll quickly notice that all the sections like File System, Registry, Shell Commands, etc. are referencing Windows.
This should be enough information to determine the affected OS.
Question 5: A Windows executable is mentioned in the pdf file, what is it?
Let’s switch away from VirusTotal and use another of Didier Stevens’ PDF tools, pdf-parser.py, start to analyze README.pdf
According to the author’s website:
“This tool will parse a PDF document to identify the fundamental elements used in the analyzed file.”
So, by using pdf-parser we can start to get a better idea of the malicious elements within the PDF. For our first pass, we’ll use the below syntax using -a to display the stats and -O to include the object streams.
pdf-parser.py README.pdf -a -O
This provides us with a solid overview of the risky keywords to watch for, as highlighted in Lenny Zeltser’s Analyzing Malicious Documents Cheat Sheet, one of the valuable resources provided in our challenge scenario.
Instead of diving into each object one-by-one, let’s use the default command to print all of them! Don’t worry, we can focus the output to avoid too much manual review. Since we are searching for a Windows executable file, we’ll use grep to display results matching the file extension “.exe”
pdf-parser.py README.pdf | grep -i ".exe"
Nice — we found it! If you’re curious or opt to analyze each object manually, you can find the executable referenced in Object 28, the /Launch action.
Question 6: How many suspicious /OpenAction elements does the file have?
Okay, last question! Remember in the last question where we used pdf-parser.py to find the risky keywords? Well, scroll back up to that output since we have the answer to Question 6 already…
Notice how there is a single number (1) next to /OpenAction? This means there is only one object with an OpenAction. While we don’t have to analyze the OpenAction directly for this challenge it’s good to understand why this is considered risky. Open actions are triggered when a PDF file is opened and could be abused by a bad actor to execute JavaScript, open a file/web page, etc. With all of this evidence, it seems that the USB drive is the initial access vector for this attack.
Conclusion:
Mission accomplished! Let’s do a quick recap. We’ve successfully examined the USB drive’s Autorun.inf file and discovered that it launches README.pdf. Then we used VirusTotal to determine that the file is malicious, likely a backdoor trojan. After that, we used Didier Stevens’ pdfid.py, and pdf-parser.py to look more closely at the structure of the PDF where we found some suspicious OpenActions targeting Microsoft Windows. With the objectives completed, let’s close out this walkthrough of the Suspicious USB Stick challenge!
A big thank you to Blue Team Labs Online for another interesting challenge! I picked this lab for this week when I realized I have never had an occassion to analyze a USB drive. While this turned into light analysis of a PDF it was still a fantastic opportunity to explore the relation between autorun.inf and a weaponized PDF document. Any opportunity to practice with Didier Stevens’ PDF tools is always a good thing to keep in the rotation as the question of “is this PDF safe?” comes up often in the real world. I hope you had fun and learned something too!
If you found this walkthrough helpful in leveling up your skills or getting you through a tricky question, please give it a clap! Your feedback lets me know that I helped you out on your security journey. We’re in this together! Thanks for the support!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
Trend Micro — Autorun: https://www.trendmicro.com/vinfo/in/security/definition/autorun#:~:text=INF.,the%20infected%20drive%20is%20accessed.
VirusTotal: https://www.virustotal.com/gui/file/c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43
pdfid.py: https://blog.didierstevens.com/programs/pdf-tools/
Wikipedia: https://en.wikipedia.org/wiki/List_of_file_signatures
Lenny Zeltser — Analyzing Malicious Documents Cheat Sheet: https://zeltser.com/analyzing-malicious-documents/
Adobe Open Actions: https://helpx.adobe.com/acrobat/using/applying-actions-scripts-pdfs.html
MITRE ATT&CK — Replication Through Removable Media (T1091): https://attack.mitre.org/techniques/T1091/
