CompTIA CySA+ (CS0-002) — Question 84

A user receives a potentially malicious attachment that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review. Which of the following commands would MOST likely indicate if the email is malicious?

Answer options

• A. sha256sum ~/Desktop/file.pdf
• B. file ~/Desktop/file.pdf
• C. strings ~/Desktop/file.pdf | grep –i “D.cat < ~/Desktop/file.pdf | grep –i .exe
• D. cat < ~/Desktop/file.pdf | grep –i .exe

Correct answer: C

Explanation

The command in option C, 'strings ~/Desktop/file.pdf | grep –i .exe', is effective because it extracts human-readable strings from the PDF and searches for executable file indicators, which are common in malicious files. Options A and B provide file checksums and type identification, respectively, but do not analyze the content for threats. Option D also checks for executable strings but lacks the extraction step that makes C more robust.