What is the email service used by the malicious actor?
To find the email service used by the malicious actor we need to check the Received field after opening the email in a text-editor.
What is the Reply-To email address?
If we open the file using Thunderbird, we can find the Reply-To email address.
What is the filetype of the received attachment which helped to continue the investigation?
Let's open the PDF file attached to the email.
So the file isn't opening. Maybe it is not really a PDF.
Using the file utility we can check the actual format of the file.
What is the name of the malicious actor?
Now that we know it is a ZIP file, we can rename it to PuzzleToCoCanDa.zip and then unzip it.
We can see that the ZIP file contains a file called GoodJobMajor.
If we use the exiftool utility on that file to check the metadata we can find the name of the malicious actor.
What is the location of the attacker in this Universe?
On opening the Money.xlsx file, we can see that there are two sheets: Sheet1 and Sheet3.
Let's covert both the sheets to text files so that we can view the content better.
If we open the Sheet3.txt file we can see some text that appears to be encrypted.
The == at the end indicates that the encryption is Base64.
We can use Cyberchef to decrypt the text.
What could be the probable C&C domain to control the attacker’s autonomous bots?
The attacker's name is Pestero Negeja and the reply-to email is negeja3921@pashter.com so we can guess the C&C domain used by the attacker.
