Phishing PDF with Unusual Hostname

Taking a look with at a PDF received 2 days ago to update Amazon Prime account information:

This PDF contains /URI which might be of interest. Using, I generated some statistics (-a) like this:

And here I print the URL (/URI) in the pdf like this:

This hostname is a bit unusual, https[:]//903-63-845-845-matikaudekdek54yy4[.]com/l57kU89. I tried to get a copy of the suspicious file but the hostname was no longer resolving. The only information I was able to find about this hostname was from Domain State indicating that domain had already been deleted. No other cache or otherwise information available about this hosname.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


528 Posts
ISC Handler
May 2nd 2020

Sign Up for Free or Log In to start participating in the conversation!