Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishing PDF with Unusual Hostname

Published: 2020-05-02
Last Updated: 2020-05-02 20:44:50 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Taking a look with at a PDF received 2 days ago to update Amazon Prime account information:

This PDF contains /URI which might be of interest. Using, I generated some statistics (-a) like this:

And here I print the URL (/URI) in the pdf like this:

This hostname is a bit unusual, https[:]//903-63-845-845-matikaudekdek54yy4[.]com/l57kU89. I tried to get a copy of the suspicious file but the hostname was no longer resolving. The only information I was able to find about this hostname was from Domain State indicating that domain had already been deleted. No other cache or otherwise information available about this hosname.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)
Diary Archives