Open in app

Sign in

Write

Sign in

Phishing Email Analysis

Divyank Patel
3 min readJun 10, 2023

--

A Sales Executive at Greenholt PLC received an email that he didn’t expect to receive from a customer. He claims that the customer never uses generic greetings such as “Good day” and didn’t expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation. Investigate the email sample to determine if it is legitimate.

https://tryhackme.com/room/phishingemails5fgjlzxc

Tools used for investigating this email: VirusTotal, PhishTool , IPinfo and Thunderbird.

  1. What is the email’s timestamp (answer format: mm/dd/yyyy hh:mm)

06/10/2020 05:58

Emailed Opened in Thunderbird

There seems to be no Link Attachment in this email.

2. Who is the email from?

Mr. James Jackson

3. What is his Email Address?

info@mutawamarine.com

4. What email address will receive a reply to this email?

info.mutawamarine@mail.com

5. What is the Originating IP?

To find the IP Address, you can look at the source code of the email, but I used PhishTool to get all that information.

Phish Tool Analysis Image

192.119.71.157

6. Who is the owner of the Originating IP?

This was easy since we had the IP address, I used IPINFO website to get that information.

Hostwinds LLC

7. What is the SPF record for the Return-Path domain?

I used PhisTool to get this info, but let me explain what SPF record is used for; The SPF record is a DNS TXT record containing a list of IP address that are allowed to send email on behalf of your domain, which the ISP uses to verify that mail server to whether or not send the email to a specific domain.

v=spf1 include:spf.protection.outlook.com -all

8. What is the DMARC record for the Return-Path domain?

v=DMARC1; p=quarantine; fo=1

If you want to learn more about DMARC, visit this website: DMARC

9. What is the name of the attachment?

This was pretty easy, if you refer back the first image at the start of this blog, you will see at the bottom of the email there is an attachment.

SWT_#09674321____PDF__.CAB

10. What is the SHA256 hash of the file attachment?

The way I found the hash was by downloading the file on the desktop and using terminal to get the hash of the file.

2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f

11. What is the attachments file size?

400.26 KB

I tried right clicking on the file and visited properties to get the file size, but turned out it was wrong, so when I searched up the Hash on Virus Total, I found the file size in the top right. Look at the attached picture.

12. What is the actual file extension of the attachment?

rar

If you look at the previous picture, you will see that the actual file extension is highlighted in condensed file info section.

Cybersecurity
Tryhackme
Phishing Email

--

--

Divyank Patel

Written by Divyank Patel

21 Followers

Cybersecurity Enthusiast, Love doing writeups about Blue Team CTF's and tools and Looking to purse a role in Blue Team

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams