Rating:
Open with a hex editor. Immediately at the top, there's some suspicious JavaScript at the beginning of the file! It seems obfuscated so let's deobfuscate it.
[https://deobfuscate.io/](http://) tells us that it's likely from [https://obf-io.deobfuscate.io/](http://), so go over there to deobfuscate the code:
```
var whutisthis = 1;
this.print({
bUI: true,
bSilent: false,
bShrinkToFit: true
});
```
Seems useless...
But, wait! There's some suspicious code in the obfuscated code:
`['_15N7_17','60PQFHXK','125706IwDCOY','_l3jaf9c','1aRbLpO','i293m1d}','52262iffCez','211310EDRVNg','913730rOiDAg','10xwGGOy','4mNGkXM','log','747855AiEFNc','333153VXlPoX','1265584ccEDtU','7BgPRoR']`
In particular, the following strings seems like they could be part of the flag:
_15N7_17
_l3jaf9c
i293m1d}
Hm. Well, there's an if statement here that checks if the variable whutisthis is equal to 1. What if we set it equal to 0 and deobfuscate that?
```
var whutisthis = 0;
function pdf() {
a = "_15N7_17";
b = "i293m1d}";
c = "_l3jaf9c";
console.log(a + c + b);
}
pdf();
```
So now we know our flag ends with "_15N7_17_l3jaf9ci293m1d}"!
If you go towards the end of the file, right above the large space of 0x20's, you'll find a suspicious string:
SW4gdGhpcyBxdWVzdGlvbiwgdGhlIGZsYWcgaGFzIGJlZW4gZGl2aWRlZCBpbnRvIDMgcGFydHMuIFlvdSBoYXZlIGZvdW5kIHRoZSBmaXJzdCBwYXJ0IG9mIHRoZSBmbGFnISEgVENQMVB7RDAxbjlfRjAyM241MUM1
This looks base64 encoded -- let's decode it! If you do, you'll get the following text:
In this question, the flag has been divided into 3 parts. You have found the first part of the flag!! TCP1P{D01n9_F023n51C5
So now we know our flag starts with "TCP1P{D01n9_F023n51C5", and we need one more part!
Admittedly, it took me a while to figure out what to do after this. However, I eventually thought -- what if something is hidden in the image file located on the PDF? Thus, I went to [https://tools.pdf24.org/en/extract-images](http://) to extract the image. To my surprise, there was actually another image hidden in the PDF file, which contained the last part of the flag!
_0N_pdf_f1L35_15_345y
In retrospect, this probably could have been observed by the following lines in the PDF file:
<</Image11 10 0 R/Image12 11 0 R>>
This implies that there is not just one but two images in this file, and thus it is suitable to extract the images to take a look at that second hidden image.
Thus, our flag is
TCP1P{D01n9_F023n51C5_0N_pdf_f1L35_15_345y_15N7_17_l3jaf9ci293m1d}