0

I received an email at work the other day from a client (with the correct email address) that had a pdf attached. When I opened the pdf, it said the client had required the recipient to login to outlook in order to view it. I attempted to login and the only thing that happened was the Google homepage opened automatically in a new tab. Forty-eight hours later, our work email was hacked.

I inspected the html associated with the icon (posted below) and it actually turns out it is a png. Further all the https addresses in the chunk of code had no flags on VirusTotal. I was hoping to find an exe file or some url to a malicious site that would indicate any potential malware but there does not seem to be any.

How can I further look into this to see if this was the problem with the work email?

enter image description here

Elaine
  • 9
  • 2
  • 1
    Does this answer your question? [How to scan a PDF for malware?](https://security.stackexchange.com/questions/2896/), [Malicious PDF Analysis](/questions/72677/), [How can I tell if a PDF file I was sent contains malware?](/questions/121877), [Solutions to diagnose PDF files for exploits?](/questions/147071/) – Steffen Ullrich Feb 11 '23 at 05:22
  • @SteffenUllrich Can this be a case of [Stegosploit](https://thehackernews.com/2015/06/Stegosploit-malware.html)? From the OP's description there was some interactive window appearing on the screen when she clicked on the png attached. It seems like only the icon suggested that it was a pdf, but that in reality it was a png image. I wonder if downloading it and inspecting it with a file manager or hex program could identify the segment of malware. – Antoni Parellada Feb 11 '23 at 19:15
  • @AntoniParellada: I don't understand what the OP means with *"I inspected the html associated with the icon (posted below) and it actually turns out it is a png."*. If this is webmail (unknown) then the HTML might refer to the image which is used to display the attachment icon. Surely this would be some image type, even if the attachment itself is a PDF. In no case I would conclude from the provided description that this could be stegosploit. – Steffen Ullrich Feb 11 '23 at 19:27
  • @SteffenUllrich I think I get your comment. How can I find out the type of file in that attachment? The ".pdf" or ".png" at the end of the name is not visible (cut off from the image) and I am afraid of clicking on it. BTW, this is an email account hosted by GoDaddy and using MS Outlook. I don't know if that answers your question. – Elaine Feb 11 '23 at 20:10
  • @Elaine: if you want to analyze the file you have to download it first. Downloading by itself does not cause harm - executing, viewing (in case of embedded code) etc does – Steffen Ullrich Feb 11 '23 at 20:59
  • @SteffenUllrich I followed your suggestion and I made it public here: https://github.com/ejp12/png-malwarefile – Elaine Feb 11 '23 at 21:31
  • 1
    @Elaine: This is not the attachment but an image used in your webmail to visualize that there is an attachment. There is nothing malicious with this image itself and no statements can be made from this about the actual attachment in your mail. Apart from that we don't analyze specific malware here. The question you had in the title (how to analyze pdf attachment) is a duplicate of several others and I linked to these. – Steffen Ullrich Feb 11 '23 at 21:35
  • @SteffenUllrich any leads or suggestions on how I can find out some info about the nature of the "actual attachment"? – Elaine Feb 11 '23 at 21:51

0 Answers0