MBP#2

1. ManBearPig pdf linking history @ enenews.com
2. -----------------------------------------------------------------------------------------------
3. disclosure: direct linked pdf's may be malicious files & possible BIOS attack - BEWARE!!!
4. (the odds are extremely low, yet cannot be ruled out yet; space added before ://)
5. VirusTotal notes for most files (quote)
6. "Probably harmless! There are strong indicators suggesting that this file is safe to use."
7. Anubis seems potentially more revealing ...
8. -----------------------------------------------------------------------------------------------
9. October 11, 2014 at 12:24 am - http://enenews.com/latest-govt-models-show-typhoon-making-direct-hit-fukushima-center-vongfong-expected-be-nuclear-plant-tuesday-maps/comment-page-1#comment-585961
10. http ://www.safety.vanderbilt.edu/rad/nrc-reg-guide-8.13.pdf
11.  
12. October 15, 2014 at 8:57 pm - http://enenews.com/govt-issues-inundation-warning-fukushima-daiichi-years-strongest-storm-approaches-tepco-bracing-overflows-officials-warn-torrential-rains-landslides-ground-loosening-south-plant-danger-tornad/comment-page-3#comment-588258
13. http ://www.eurosafe-forum.org/files/pe_382_24_1_seminar2_01_2005.pdf
14.  
15. October 15, 2014 at 10:51 pm - http://enenews.com/govt-issues-inundation-warning-fukushima-daiichi-years-strongest-storm-approaches-tepco-bracing-overflows-officials-warn-torrential-rains-landslides-ground-loosening-south-plant-danger-tornad/comment-page-3#comment-588362
16. http ://earth.geology.yale.edu/~ajs/1960/ajs_258A_11.pdf/151.pdf
17. https://www.virustotal.com/en/file/40cc4cc26b57e41e55f327634891a5386b7621de999572e26fabefeffa48c0da/analysis/1416046750/
18. Quote: "This PDF document contains AcroForm objects. AcroForm Objects can specify and launch scripts or actions, that is why they are often abused by attackers."
19. http://anubis.iseclab.org/?action=result&task_id=173d2c99c7ef13cb45531df4c08326f25&format=html
20. http ://anubis.iseclab.org/?action=result&task_id=173d2c99c7ef13cb45531df4c08326f25&download=traffic.pcap
21. https://www.virustotal.com/en/file/0c43d1c08e84475c91e622b1efdee19abfae1ac2a551d7906329cf87b66fdb57/analysis/1416069787/
22. Quote: "PCAP file! The file being studied is a network traffic capture, when studying it with intrusion detection systems Snort triggered 1 alert and Suricata triggered 3 alert."
23. ... "Intrusion Detection System
24. Snort 1 alert
25. Suricata 3 alerts"
26. ... "Wireshark file metadata
27. File encapsulation Ethernet
28. Number of packets 120
29. Data size 89088 bytes"
30. ... "Snort alerts Sourcefire VRT ruleset
31. BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt (Attempted User Privilege Gain)
32. Suricata alerts Emerging Threats ETPro ruleset
33. ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic)
34. ET POLICY Internet Explorer 6 in use - Significant Security Risk (Potential Corporate Privacy Violation)
35. ET INFO PDF Using CCITTFax Filter (Potentially Bad Traffic)"
36. ... "earth.geology.yale.edu 130.132.22.55"
37. (note: not definative, flagged for further investigation)
38.  
39. October 17, 2014 at 1:23 am - http://enenews.com/pbs-plague-hit-west-coast-hard-year-biologists-fear-species-going-extinct-experts-largest-outbreak-oceans-terms-numbers-species-affected-geographic-scale-mortality-people-kids-before-theyre-all/comment-page-2#comment-589179
40. https ://www.orau.org/ptp/PTP%20Library/library/Subject/Plutonium/plutonium2.pdf
41. https://www.virustotal.com/en/url/67f8b5abd8979c791f2786a1e0d177e11e62b1beaaf4b13ac05f2ef08681bc12/analysis/
42. Quote: "HTTP Communication error - There was an unexpected error when trying to retrieve the response"
43. http://anubis.iseclab.org/?action=result&task_id=1e7a67a95f43b5114c915fef8f923c38a&format=html
44.  
45. October 17, 2014 at 12:42 pm - http://enenews.com/top-5/comment-page-1#comment-589403
46. http ://energy.utexas.edu/files/2014/06/Eslinger-2014-JER-Fukushima-Source.pdf
47. https://www.virustotal.com/en/file/25ce9ab8f93a2f23b4763ccb77f520da27c392438216eb98b1b043e0375bf1c2/analysis/1416046843/
48. Quote: "This PDF file contains an open action to be performed when the document is viewed. Malicious PDF documents with JavaScript very often use open actions to launch the JavaScript without user interaction.
49. This PDF document contains 17 object streams. A stream object is just a sequence of bytes and very often is only used to store images and page descriptions, however, since it is not limited in length many attackers use these artifacts in conjunction with filters to obfuscate other objects. "
50. http://anubis.iseclab.org/?action=result&task_id=1b0d5dd14764399646db2c039779928c4&format=html
51.  
52. October 17, 2014 at 12:48 pm - http://enenews.com/top-5/comment-page-1#comment-589414
53. http ://energy.utexas.edu/files/2014/06/Eslinger-2014-JER-Fukushima-Source.pdf
54. as above (copy)
55.  
56. October 17, 2014 at 11:32 pm - http://enenews.com/top-5/comment-page-1#comment-589912
57. http ://digitool.library.colostate.edu///exlibris/dtl/d3_1/apache_media/L2V4bGlicmlzL2R0bC9kM18xL2FwYWNoZV9tZWRpYS8yMDc5Mjg=.pdf
58. https://www.virustotal.com/en/file/ac73c4ab320a3f290a10406e95d217939340688792f12797ed5736a2c2acdb4f/analysis/1416046547/
59. Quote: "This PDF file contains 1 JavaScript block. Malicious PDF documents often contain JavaScript to exploit JavaScript vulnerabilities and/or to execute heap sprays. Please note you can also find JavaScript in PDFs without malicious intent."
60. http://anubis.iseclab.org/?action=result&task_id=18f7d9ce635b77ce41d85d8497637249e&format=html
61.  
62. October 17, 2014 at 11:36 pm - http://enenews.com/top-5/comment-page-1#comment-589918
63. http ://www.ans.org/pi/ps/docs/ps47-bi.pdf
64. https://www.virustotal.com/en/file/2c4223ea228a88540001d1b99fbd5f1316df2270ee886ec955fd7e24a08b50aa/analysis/1416047170/
65. Quote: "This PDF document contains 9 object streams. A stream object is just a sequence of bytes and very often is only used to store images and page descriptions, however, since it is not limited in length many attackers use these artifacts in conjunction with filters to obfuscate other objects."
66. http://anubis.iseclab.org/?action=result&task_id=193d2f7a4c9b9083441ed989f97831934&format=html
67. http ://anubis.iseclab.org/?action=result&task_id=193d2f7a4c9b9083441ed989f97831934&download=traffic.pcap
68. https://www.virustotal.com/en/url/03c8e9fd29f38d617ffb906874759641498513c6061f724734ef0feeb8f2542b/analysis/1416070919/
69. (inconclusive - download & upload to Anubis)
70. https://www.virustotal.com/en/file/7a794cd011c3f5bf64aef63affc33cfb89776b75eb2cfee428a2d7056f2dcac6/analysis/1416071001/
71. Quote: "PCAP file! The file being studied is a network traffic capture, when studying it with intrusion detection systems Snort triggered 2 alerts and Suricata triggered 2 alerts. "
72. ... "Intrusion Detection System"
73. ... "Snort 2 alerts
74. Suricata 2 alerts"
75. ... "Wireshark file metadata
76. File encapsulation Ethernet
77. Number of packets 63
78. Data size 41788 bytes"
79. ... " Snort alerts Sourcefire VRT ruleset
80. (spp_sdf) SDF Combination Alert (Sensitive Data was Transmitted Across the Network)
81. BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt (Attempted User Privilege Gain)
82. Suricata alerts Emerging Threats ETPro ruleset
83. ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic)
84. ET POLICY Internet Explorer 6 in use - Significant Security Risk (Potential Corporate Privacy Violation)"
85. ... "DNS requests www.ans.org 206.222.45.7, 173.167.163.230, 199.19.56.1"
86. (note: not definative, flagged for further investigation - 3 seperate IP Addresses though???)
87.  
88. October 17, 2014 at 11:38 pm - http://enenews.com/top-5/comment-page-1#comment-589922
89. http ://web.ornl.gov/~webworks/cpr/v823/rpt/109264.pdf
90.  
91. October 17, 2014 at 11:39 pm - http://enenews.com/top-5/comment-page-1#comment-589924
92. https ://www.oecd-nea.org/science/docs/2007/nsc-doc2007-6.pdf
93. https://www.virustotal.com/en/file/945c79fa9bbef9286b01f422e284c6fe2189ff21f5c6e5f9732b8718e5bb4394/analysis/1416064139/
94. Quote: "This PDF file contains 1 JavaScript block. Malicious PDF documents often contain JavaScript to exploit JavaScript vulnerabilities and/or to execute heap sprays. Please note you can also find JavaScript in PDFs without malicious intent.
95. This PDF document contains at least one embedded file. Embedded files can be used in conjunction with launch actions in order to run malicious executables in the machine viewing the PDF."
96. http://anubis.iseclab.org/?action=result&task_id=19a05d41e78269f34257819cc626e920d&format=html
97.  
98. October 19, 2014 at 11:35 am - http://enenews.com/top-5/comment-page-1#comment-590754
99. http ://www-pub.iaea.org/MTCD/publications/PDF/te_1601_web.pdf
100. https://www.virustotal.com/en/file/08df0e133e48e87325ca0aa8e083f51afb7a4738efa239989103c30813bde194/analysis/1416047503/
101. Quote: "This PDF file contains an open action to be performed when the document is viewed. Malicious PDF documents with JavaScript very often use open actions to launch the JavaScript without user interaction.
102. This PDF document contains AcroForm objects. AcroForm Objects can specify and launch scripts or actions, that is why they are often abused by attackers.
103. This PDF document has Digital Rights Management or needs a password to be read."
104. http://anubis.iseclab.org/?action=result&task_id=10acd33d394d7230419600d32bda8597b&format=html
105.  
106.  
107. October 20, 2014 at 11:49 pm - http://enenews.com/govt-report-reveals-fukushima-radioactive-release-larger-chernobyl-japan-reactors-could-emitted-four-times-cesium-137/comment-page-1#comment-591781
108. http ://behavior.vetmed.ucdavis.edu/local-assets/pdfs/Inappropriate_Mounting_in_Dogs.pdf
109.  
110. October 23, 2014 at 5:08 pm - http://enenews.com/sailor-fukushima-impact-dead-thousands-miles-pacific-ocean-between-japan-talking-about-makes-feel-like-cry-birds-fish-sharks-dolphins-turtles-theyre-all-gone-audio/comment-page-1#comment-593778
111. http ://apps.who.int/iris/bitstream/10665/78373/1/WHO_HSE_PHE_2013.1_eng.pdf
112. https://www.virustotal.com/en/file/aed62e6804e87473726e4c85f2a6b83b8497425eca7c2a06323705aacbe83058/analysis/1416046642/
113. Quote: "This PDF document contains 1 object stream. A stream object is just a sequence of bytes and very often is only used to store images and page descriptions, however, since it is not limited in length many attackers use these artifacts in conjunction with filters to obfuscate other objects."
114. http://anubis.iseclab.org/?action=result&task_id=1e10c80ec7f86eaa4d5ac2c601dec32ac&format=html
115. (Adobe Updater triggered)
116. http ://anubis.iseclab.org/?action=result&task_id=1e10c80ec7f86eaa4d5ac2c601dec32ac&download=traffic.pcap
117. https://www.virustotal.com/en/url/fee4fac9788a6f12b92816ef7eabec7401bc273652449f75b782fbd5e5bf9c99/analysis/1416072656/
118. (inconclusive - download & upload to Anubis)
119. https://www.virustotal.com/en/file/37bd9de6bbdb7dbb472612866eff65e94439023b60062a906c70667de3e7ef8e/analysis/1416072923/
120. Quote: "PCAP file! The file being studied is a network traffic capture, when studying it with intrusion detection systems Snort triggered 0 alerts and Suricata triggered 2 alerts."
121. ... "Intrusion Detection System"
122. ... "Snort 0 alerts
123. Suricata 2 alerts"
124. ... "Wireshark file metadata
125. File encapsulation Ethernet
126. Number of packets 98
127. Data size 48564 bytes"
128. ... "DNS requests apps.who.int 158.232.12.85"
129. ... "Suricata alerts Emerging Threats ETPro ruleset
130. ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic)
131. ET POLICY Internet Explorer 6 in use - Significant Security Risk (Potential Corporate Privacy Violation)"
132. (note: not definative, flagged for further investigation)