I received several PDF like these in the past few days in my ISC mailbox and decided to look at 3 that were very similar. All 3 files are a one page picture with nothing else in it except a URL.

Looking at the first one using Didier's pdfid.py tool:

There is something interesting in all 3 of them, they all have a URL (/URI) embedded in them. Using pdf-parser.py, lets extract the URLs:

PDF 1

PDF 2

PDF 3

What is interesting about all 3 email is they all have the same behavior with the same location /a/. The first 2 URLs do not resolve, only aleksalekss[.]ru resolve to 80.66.78.78 which was recently activated on the 28 March 2022. Several files have been submitted to VirusTotal in the past 4 days with 0 to low detection[1]. None of the 3 files below had any matches (submissions) in VirusTotal.

Indicator of Compromised (IOCs)

Domains & IP

lsochi-tour[.]ru/a/
ljmail1[.]ru/a/
aleksalekss[.]ru/a/ [4]
80.66.78.78 [2][3]

Hashes

183ca34d4b44b7829691914f061bc464d3ac69242e447376b3c9ac6b17e9cecf  31395491-c4be-410a-bced-33c5ffa3dfa8.pdf
71a43d397b93206e7834e7e85b230b4e8391546c37a9b23bfe94d66f573deedc  3c269e40-66de-4b73-927d-d432a657f3c5.pdf
5c0c5306b1ca1f5c98bcb050fa31407318ab3a8ff4ecd44365cc1d32acb553e9  f9098979-c185-4256-bec9-5ea786d7ac7a.pdf

[1] https://www.virustotal.com/gui/ip-address/80.66.78.78/relations
[2] https://cybergordon.com/result.html?id=422bee43-b3d2-49db-8b29-2d1287b1f195
[3] https://otx.alienvault.com/indicator/ip/80.66.78.78
[4] https://otx.alienvault.com/indicator/domain/aleksalekss.ru

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu