Email Analysis
Always open malware in a secure environment like a VM.
We will be using the REMnux distribution which is specifically made for reverse engineering.
What is the sending email address?
Let's check the HTML source of the email.
The answer lies in the From
field.
Answer
What is the email address of the recipient?
The answer lies in the To
field.
Answer
What is the subject line of the email?
The answer lies in the Subject
field.
Answer
What date was the Email sent? Date format: MM/DD/YYYY
The answer lies in the Date
field.
The answer should be in MM/DD/YYYY format.
Answer
What is the originating IP?
The answer lies in the Received
field.
Answer
What country is the ip address from?
We can use IPData to lookup the location and threat profile of the IP address.
Answer
What is the name of the attachment when you unzip it? (with extension)
Let's unzip the attachment.
Answer
What is the sha256 hash of the File?
We can use the sha256sum
utility to find the hash of the attachment file.
Answer
Is the email attachment malicious? Yes/No
We can use Virustotal to check if a file is malicious or not by simply entering the SHA256 hash we generated.
Answer
Last updated