Phishing Email

Always open malware in a secure environment like a VM.

We will be using the REMnux distribution which is specifically made for reverse engineering.

What is the return path of the email?

Let's first open the email using the Thunderbird client.

If we go to More > View Source, we can see the HTML source of the email.

There is also a Return-Path field which contains the answer.

Answer

bounce@rjttznyzjjzydnillquh.designclub.uk.com

What is the domain name of the url in this mail?

We can left click on the button and Copy Link Location to a notepad.

Since the question is asking for the domain name, we do not need the entire URL.

Answer

storage.googleapis.com

Is the domain mentioned in the previous question suspicious?

Using VirusTotal we can check whether a URL is malicious or not.

It has been flagged as Phishing by Abusix.

Answer

Yes

What is the body SHA-256 of the domain?

$ curl storage.googleapis.com | sha256sum
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   181  100   181    0     0   4309      0 --:--:-- --:--:-- --:--:--  4309
13945ecc33afee74ac7f72e1d5bb73050894356c4bf63d02a1a53e76830567f5  -

Answer

13945ecc33afee74ac7f72e1d5bb73050894356c4bf63d02a1a53e76830567f5

Is this email a phishing email?

As we saw in the Virustotal analysis, the email is a phishing email.

Answer

Yes