BTLO : The Planet’s Prestige

Download the file and open it with a text editor.

What is the email service used by the malicious actor?

What is the Reply-To email address?

What is the filetype of the received attachment which helped to continue the investigation?

When investigating the file it shows as a pdf attachment. However when downloading the attachment it is a zip folder. 

Unzipping the folder will give us 3 files.

What is the name of the malicious actor?

Use exiftool to find metadata from the files and the author name can be found.

What is the location of the attacker in this Universe?

Explore the the excel file and in the second sheet there will be a base64 code that is hidden in one of the cells.

Decoding the base64 code will reveal the location. 

What could be the probable C&C domain to control the attacker’s autonomous bots?

Since the reply address leads to a different address it is a possibility it is the C2 server.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: