A document was scanned and sent to you using a Hewlett-Packard JET ON4412867SSent to you by: KRYSTINReally, I think it's been years since I last saw this type of phish. The initial URL runs through three secondary URLs (a .com, .ro, and .ir) that in turn point to a single host (18.104.22.168). At the time of this phish all three secondaries and the host were alive and serving the scam. The payload when I research the .ro link, the payload (using curl) at 16:43 PDT. The payload reported by another blogger dynamoo. The payload now on .ir link -- note that the folks in IR appear to have now blocked the scam, or are running something else, I am leaving their CGI alone.
Pages : 6
Filetype: Image (.jpeg) View
Device: OP218S5OD2054128Mailprint: d72e6d72-e624bbbb
A document was scanned and sent to you using a Hewlett-Packard JET ON4412867S
Sent to you by: KRYSTIN
Pages : 6
Filetype: Image (.jpeg) View http://donteverclickalinkinemail.example.com/oCzgKm43/index.html
According to wepawet the payload contains two vulnerabilities first reported in 2010, here, and here. The Adobe Reader vulnerability applies up to 9.3 and the Microsoft applies to Win2003sp2. So that's a decent target space.
What did I learn today?
This phish is harder to detect on my phone, see image :