Windows Analysis Report
458 -(1).eml

# Email Security Analysis Report

## 1. Initial Analysis of Email Structure

**Sender Information:**
- Display name: "rno olkmn 480821"
- Email address: dog.killer@msa.hinet.net
- Domain: msa.hinet.net (Taiwanese ISP - Chunghwa Telecom)

**Recipient Information:**
- Email: taylorm@paradigm-corp.com
- Domain: paradigm-corp.com (corporate domain)

**Subject Line:**
"F: br - mk-mittn di for zrkrbr ymnt mbr 989458 -"
- Nonsensical character combinations
- Appears to be attempting to look like a forwarded email ("F:")
- Contains what may be a reference number (989458)

**Date:** Tue, 10 Jun 2025 01:36:46 +0000

## 2. Content Analysis

The email body is minimal, containing only:
- "PDF Access Code : 472"

This suggests the PDF attachment requires a code to open it, which is often a tactic in phishing emails to:
- Bypass security controls
- Create a sense of legitimacy
- Make the recipient curious enough to engage with the attachment

## 3. Attachment and QR Code Analysis

**Attachment Details:**
- Name: "Paradigm-corp_Remittance_Advice_Monday, June 9, 2025 at 07:36:45PM.pdf"
- Type: PDF document, version 1.4
- Size: 236,580 bytes (approximately 231 KB)
- MD5: 19948161a10913f4de48ceaeebb3155e
- SHA1: 17a5affb9a83eed4f119bee171db0d78976ae4a4
- SHA256: 0076be57d1efb411b083484b92bed90f05767cb3cf43c028019590699b8b8818

**Notable Attachment Characteristics:**
- Incorporates recipient's company name ("Paradigm-corp")
- Claims to be a "Remittance Advice" (financial document)
- Includes very specific date and time formatting
- No QR code data available

## 4. Key Suspicious Indicators

1. **Sender anomalies**: 
   - Display name "rno olkmn 480821" appears random/generated
   - Email address "dog.killer@msa.hinet.net" is highly unprofessional and concerning
   - Sender domain is a Taiwanese ISP, not aligned with business context

2. **Subject line**: 
   - Completely nonsensical with random character combinations
   - Typical of phishing emails attempting to bypass spam filters

3. **Content inconsistencies**:
   - No business context, greeting, or signature
   - Only provides password for the PDF

4. **PDF with access code**:
   - Password-protected financial documents are suspicious, especially with minimal context
   - Access code technique often used to bypass security scanning

## 5. Attack Type Analysis (MITRE ATT&CK)

- **T1566.001 - Spearphishing Attachment**: Email with malicious attachment targeting a specific recipient
- **T1204.001 - User Execution: Malicious File**: Attack relies on user opening the PDF and entering the access code
- **T1036 - Masquerading**: Email mimics a legitimate financial document using company name
- **T1027 - Obfuscated Files or Information**: Possible use of password protection to hide malicious content

## 6. False Positive Analysis

**Factors suggesting legitimacy:**
- PDFs are common in business communications
- Password-protected PDFs are sometimes used for sensitive financial information
- The document references the recipient's company name

**Factors against legitimacy:**
- The nonsensical subject line is inconsistent with legitimate business communications
- The sender email address is highly unprofessional and concerning
- Complete lack of business context, greeting, or explanatory text
- Sender domain (Taiwanese ISP) doesn't match the business context of a remittance advice
- No prior communication history is indicated

## 7. Overall Assessment

This email displays multiple characteristics consistent with a phishing attempt:

1. The sender's display name and email address are highly suspicious and unprofessional
2. The subject line contains random characters that don't form coherent words
3. The email body lacks any proper business context
4. The PDF filename attempts to establish legitimacy by incorporating the recipient's company name
5. The attachment requires a password provided in the email body, a common tactic to bypass security controls

The combination of these elements strongly suggests this is a targeted phishing attempt designed to deliver malware through the PDF attachment.

## 8. IOCs (Indicators of Compromise)

- Email: dog.killer@msa.hinet.net
- Domain: msa.hinet.net
- Attachment: "Paradigm-corp_Remittance_Advice_Monday, June 9, 2025 at 07:36:45PM.pdf"
- MD5: 19948161a10913f4de48ceaeebb3155e
- SHA1: 17a5affb9a83eed4f119bee171db0d78976ae4a4
- SHA256: 0076be57d1efb411b083484b92bed90f05767cb3cf43c028019590699b8b8818

## Verdict and Risk Assessment

**Verdict**: Malicious

**Risk Score**: 8

**TTPs Identified**:
- Spearphishing with malicious attachment (T1566.001)
- Social engineering to induce user execution (T1204.001)
- Masquerading as financial document (T1036)
- Possible obfuscation via password protection (T1027)

**Reasoning Summary**:
This email exhibits strong indicators of a phishing attempt with a potentially malicious PDF attachment. The combination of a nonsensical subject line, inappropriate sender email address, minimal body content, and a password-protected PDF claiming to be a financial document creates a high-risk scenario. The attachment name suggests specific targeting by including the recipient's company name. While PDFs themselves are not inherently the highest risk file type, password-protected PDFs can contain malicious JavaScript or exploit vulnerabilities while evading security scanning.