Reader Fred submitted a suspicious PDF received via email.

It’s a classic phishing PDF (for the Apple Store), like I have analyzed here in previous diary entries. It can be quickly analyzed with pdfid and pdf-parser, like this:

Notice the long URL, with another URL as parameter at the end: this first URL is a redirector.

The second URL, bitleyco, is an URL shortener:

It has some interesting features for an attacker, like Geotargeting and Device targeting:

And also statistics: just append a plus (+) to the URL and you get statistics. Unfortunately for me, I got a 404 for the phishing URL.

This URL shortening service is not very popular:

So you can add this domain (bitleyco dot cc) to your blocklist, your business will not be impacted.

If you know more about this URL shortener, or if it looks similar to other URL shorteners, please post a comment.

Update: I found what software it is: Premium URL Shortener.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com