Phishing PDF with Unusual Hostname

Published: 2020-05-02. Last Updated: 2020-05-02 20:44:50 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Taking a look with pdfid.py at a PDF received 2 days ago to update Amazon Prime account information:

This PDF contains /URI which might be of interest. Using pdf-parser.py, I generated some statistics (-a) like this:

And here I print the URL (/URI) in the pdf like this:

This hostname is a bit unusual, https[:]//903-63-845-845-matikaudekdek54yy4[.]com/l57kU89. I tried to get a copy of the suspicious file but the hostname was no longer resolving. The only information I was able to find about this hostname was from Domain State indicating that domain had already been deleted. No other cache or otherwise information available about this hosname.

[1] www.domainstate.com/domain/sixdns.net

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: Analysis PDF pdfid pdfparser Phishing
0 comment(s)

Comments

Login here to join the discussion.


Diary Archives