Domain Spoofing and Malicious PDF Delivery in Executive Impersonation Campaign

A targeted email campaign impersonated a logistics company CEO, sending a PDF (Q2_Strategy_Update.pdf) that linked to https://corporate-review-center.net/secure/open?id=88421. The link delivered a JavaScript downloader (update_review.js) which invoked PowerShell to retrieve an additional payload from IP 172.105.14.91; indicators include the spoofed sender, attachment name, redirect URL, JS filename, and download IP.