Phishing PDF with Unusual Hostname
Last Updated: 2020-05-02 20:44:50 UTC
by Guy Bruneau (Version: 1)
Taking a look with pdfid.py at a PDF received 2 days ago to update Amazon Prime account information:
This PDF contains /URI which might be of interest. Using pdf-parser.py, I generated some statistics (-a) like this:
And here I print the URL (/URI) in the pdf like this:
This hostname is a bit unusual, https[:]//903-63-845-845-matikaudekdek54yy4[.]com/l57kU89. I tried to get a copy of the suspicious file but the hostname was no longer resolving. The only information I was able to find about this hostname was from Domain State indicating that domain had already been deleted. No other cache or otherwise information available about this hosname.
Guy Bruneau IPSS Inc.
My Handler Page
gbruneau at isc dot sans dot edu