|
I received several PDF like these in the past few days in my ISC mailbox and decided to look at 3 that were very similar. All 3 files are a one page picture with nothing else in it except a URL.
Looking at the first one using Didier's pdfid.py tool:
There is something interesting in all 3 of them, they all have a URL (/URI) embedded in them. Using pdf-parser.py, lets extract the URLs: PDF 1
What is interesting about all 3 email is they all have the same behavior with the same location /a/. The first 2 URLs do not resolve, only aleksalekss[.]ru resolve to 80.66.78.78 which was recently activated on the 28 March 2022. Several files have been submitted to VirusTotal in the past 4 days with 0 to low detection[1]. None of the 3 files below had any matches (submissions) in VirusTotal. Indicator of Compromised (IOCs) Domains & IP lsochi-tour[.]ru/a/ Hashes 183ca34d4b44b7829691914f061bc464d3ac69242e447376b3c9ac6b17e9cecf 31395491-c4be-410a-bced-33c5ffa3dfa8.pdf [1] https://www.virustotal.com/gui/ip-address/80.66.78.78/relations ----------- |
Guy 522 Posts ISC Handler May 7th 2022 |
| Reply Subscribe |
May 7th 2022 2 weeks ago |
.PNG)
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
