Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Phishing PDF with Unusual Hostname SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing PDF with Unusual Hostname

Taking a look with pdfid.py at a PDF received 2 days ago to update Amazon Prime account information:

This PDF contains /URI which might be of interest. Using pdf-parser.py, I generated some statistics (-a) like this:

And here I print the URL (/URI) in the pdf like this:

This hostname is a bit unusual, https[:]//903-63-845-845-matikaudekdek54yy4[.]com/l57kU89. I tried to get a copy of the suspicious file but the hostname was no longer resolving. The only information I was able to find about this hostname was from Domain State indicating that domain had already been deleted. No other cache or otherwise information available about this hosname.

[1] www.domainstate.com/domain/sixdns.net

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

462 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!