Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Location Chicago IL, USA

Exam CS0-002 topic 1 question 67 discussion

Actual exam question from CompTIA's CS0-002
Question #: 67
Topic #: 1
[All CS0-002 Questions]

A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.
Which of the following commands would MOST likely indicate if the email is malicious?

  • A. sha256sum ~/Desktop/file.pdf
  • B. file ~/Desktop/file.pdf
  • C. strings ~/Desktop/file.pdf | grep "<script"
  • D. cat < ~/Desktop/file.pdf | grep -i .exe
Show Suggested Answer Hide Answer

Suggested Answer: A

Comments

CodeMonkey2
6 days, 14 hours ago
By itself (A) just gives you a hash. (C) on the other hand will indicate if there is a script embedded in the PDF file. Going with (C).
upvoted 1 times
...
Alizadeh
3 weeks, 6 days ago
A is the correct answer
upvoted 1 times
...
TovarasulJon
1 month ago
Let's be realistic, most of the attachments delivered through email are not submitted in VirusTotal in order to check for the hash (think of targeted phishing campaign). And from my personal experience, if the file's hash is indeed on VT, alerts will trigger. I'll stick with C.
upvoted 1 times
...
White_T_10
1 month, 2 weeks ago
A it is. Read some about md5sum and sha256sum, sha1sum
upvoted 1 times
...
somsom
1 month, 2 weeks ago
C is the answer, spelling errors and Adobe attachment
upvoted 1 times
...
americaman80
1 month, 3 weeks ago
A is the correct answer. source: https://resources.infosecinstitute.com/topic/analyzing-malicious-pdf/ "A launch action launches an application or opens or prints a document. We can use one of the many Adobe Acrobat exploits in the Metasploit framework to EMBED an exe with PDF." Since the .exe is embedded in the PDF, you are not going to visibly see the output if you were to strings or cat it, so the only thing left to do is get the hash and compare it to virustotal. I'm with ma66_726526 on this one.
upvoted 1 times
...
leif06
2 months, 1 week ago
I also go with C. Because it's says "spelling errors", its indicates there is some code in it and you can see with "strings" command
upvoted 2 times
...
RokzyBalboa
2 months, 3 weeks ago
This is a tough one, but I have to go with C... according to: https://securityxploded.com/pdf_vuln_exploits.php "Adobe reader's top vulnerabilities come from Adobe specific javascript APIs." The search for <script> within the output of strings could be a way to locate the presence of javascript within PDF file.
upvoted 3 times
Obi_Wan_Jacoby
2 months, 3 weeks ago
I am also going with C here as well .https://unix.stackexchange.com/questions/6704/how-can-i-grep-in-pdf-files If the question were "What would the analyst to do grab data to run against a databse to check for known malware" then I would go for A to get the hash.
upvoted 3 times
...
...
ma66_726526
2 months, 3 weeks ago
B will tell whether the file is actually a PDF, or an executable in disguise
upvoted 1 times
ma66_726526
2 months, 2 weeks ago
I tried all 4 answers on a Kali box, by creating a malicious PDF file (with a reverse shell code) using Metasploit. B - Returned the file type as PDF (that makes my comment above incorrect) C - No output D - No output Only remaining option is to get the Hash value and query from a service like VirusTotal. Answer: A
upvoted 11 times
...
...
I_heart_shuffle_girls
2 months, 4 weeks ago
Have to go with D on this one. Compressed instructions won't display for strings. Taking a hash is out. File will not likely produce good data.
upvoted 1 times
I_heart_shuffle_girls
2 months, 3 weeks ago
I will revise my choice to A. BCD are all kind crap shoots after downloading different malware samples and running the commands on them. A is still dookie as you can custom create the PDF's easily which would throw off the hash.
upvoted 1 times
...
...
elfaz
3 months ago
none of these alone would indicate anything. but if we took the hash and ran it against known malware hashes this would be the best chouce
upvoted 1 times
...

SaveCancel