{“lastseen”:”2025-12-17T14:05:13″,”description”:”_A PDF named \\”`NEW Purchase Order # 52177236.pdf`\\” turned out to be a phishing lure. So we analyzed the phishing script behind it._\\n\\nA customer contacted me when Malwarebytes blocked the link inside a \u201cpurchase order\u201d email they had received. \\n\\n\\nMalwarebytes blocked this ionoscloud.com subdomain\\n\\nWhen I examined the attachment, it soon became clear why we blocked it.\\n\\nThe visible content of the PDF showed a button prompting the recipient to view the purchase order. Hovering over the button revealed a long URL that included a reference to a PDF viewer. While this might fool some people at first glance, a closer look raised red flags:\\n\\nHovering over the button to see where it goes\\n\\nSince I\u2019m rarely able to control my curiosity, I temporarily added an exclusion to Malwarebytes’ web protection so I could see where the link would take me. The destination was a website displaying a login form with the target\u2019s email address already filled in (the address shown here was fabricated by me):\\n\\n\\n\\nThe objective was clear: phishing. But the site’s source code didn’t reveal much.\\n\\nThe most likely objective was to harvest business email addresses and their passwords. Attackers commonly test these credentials against enterprise services such as Microsoft Outlook, Google Workspace, VPNs, file-sharing platforms, and payroll systems. The deliberately vague prompt for a \u201cbusiness email\u201d increases the likelihood that users will provide corporate credentials rather than personal ones.\\n\\nThere was also a small personalization touch. The \\”Estimado\\” greeting sets a professional tone and is common in business correspondence across Spanish-speaking regions.\\n\\nFor a full analysis read on, but the real clue is that the harvested credentials accompanied additional information about the victim’s browser, operating system, language, cookies, screen size, and location. This data was sent directly to the scammer\u2019s account on Telegram, where it’s likely to be used to compromise the business network or sold on to other cybercriminals.\\n\\nA quick search on VirusTotal showed that there were several PDF files linking to the exact same `ionoscloud.com` subdomain.\\n\\n## Analysis\\n\\nAs I pointed out earlier, the source code of the initial phishing page did not reveal a lot. These are probably auto-generated templates that can be planted on any website, allowing attackers a fast rotation.\\n\\n\\n\\n`ionoscloud.com` belongs to IONOS Cloud, the cloud infrastructure division of IONOS, a major European hosting company. It offers services similar to Amazon AWS or Microsoft Azure, including hosting for websites and files. Scammers specifically choose reputable cloud platforms like IONOS Cloud because of the \u201chalo effect\u201d of being hosted at a well-known domain, which means security companies can\u2019t just block the whole domain.\\n\\nThe criminals also get the flexibility to quickly spin up, modify, or tear down phishing sites and continue to evade detection by moving to new URLs or storage buckets.\\n\\nSo, we followed the trail to a JavaScript file, which turned out to be obfuscated script\u2014and a long one at that. But the end of it looked promising.\\n\\n113,184 lines of code\\n\\nSince it was still unclear at this point what it was up to, I made a change to the script to avoid infection and which allowed me to get the source code without executing the script. To achieve this, I replaced the last line of the original script with code that exports the next layer to an HTML file.\\n\\n\\n\\nThe next obfuscation layer turned out to be easy. All it contained was a long string that needed to be unescaped. Because of the length, I used an online decoder to do that for me.\\n\\nSimple unescape script\\n\\nThis showed me the code for the actual form that the target would see\u2014and the goal of the whole phishing expedition.\\n\\nThe part that did the actual harvesting was hidden in another script.\\n\\n\\n\\nThis was still pretty long and obfuscated but by analyzing the code and giving the functions readable names I managed to find out which information the script gathered. For example, the script uses the ipapi location service:\\n\\nDeobfuscated location script\\n\\nAnd I found out where it sent the details. \\n\\n\\nTelegram bot function\\n\\nAny credentials entered on the phishing page are POSTed directly to the attacker’s Telegram bot and immediately forwarded to their chosen Telegram chat for collection. The Telegram chat ID hardcoded in the script was 5485275217.\\n\\n## How to stay safe\\n\\nThe advice here is pretty standard. (Do as our customer did, not as I did.)\\n\\n * Phishing and malware campaigns frequently use PDF files, so treat them like any other attachment: don\u2019t open until the trusted sender confirms sending you one.\\n * Never click links inside attachments without verifying with the sender, especially if you weren’t expecting the message or don’t know the sender.\\n * Always check the address of any website asking for your login details. A password manager can help here, as it won’t auto-fill credentials on a fake site.\\n * Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.\\n * Use an email security solution that can detect and quarantine suspicious attachments.\\n\\n\\n\\n**Pro tip:** Malwarebytes Scam Guard recognized the screenshot of the PDF as a phishing attempt and provided advice on how to deal with it.\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2025-12-17T13:38:00″,”modified”:”2025-12-17T13:38:00″,”type”:”malwarebytes”,”title”:”Inside a purchase order PDF phishing campaign”,”source”:””,”references”:””,”id”:”MALWAREBYTES:794A60557F57FB77B84923C18276955A”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2025\/12\/inside-a-purchase-order-pdf-phishing-campaign”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-17T14:05:13″,”description”:”_A PDF named \\”`NEW Purchase Order # 52177236.pdf`\\” turned out to be a phishing lure. So we analyzed the phishing script behind it._\\n\\nA customer contacted…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-31538","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n