Clark Flores
Written on

Email Analysis - Third Party Impersonation (Let's Defend)

Challenge Write-up (Medium)

writeupanalysis

Lessons Learned:

Analyze email message and its attachment.

The Challenge:

You recently received an email from someone trying to impersonate a company, your job is to analyze the email to see if it is suspicious.

Answers

  1. What is the sending email address? yanting[@]united[.]com[.]sg

Method: Same method back in “Phishing Email - Email from Paypal”.

Answer is indicated in “From”.


  1. What is the email address of the recipient? admin[@]malware-traffic-analysis[.]net

Method: Indicated in “Delivered-To”.


  1. What is the subject line of the email?united scientific equipment

Method: Indicated in “Subject:”


  1. What date was the Email sent? 02/08/2021

Method: Indicated in “Date:”


  1. What is the originating IP? 71.19.248.52

Method: Indicated in “Received:”


  1. What country is the ip address from? Canada

Method: Use geoiplookup to determine the Country of an IP address.


  1. What is the name of the attachment when you unzip it? united scientific equipent.exe

Method: Download the attachment and extract using the provided password.

  1. What is the sha256 hash of the File? 9909753bfb0ac8ab165bab3555233d03b01a9274a92e57c022f87ccbe51ca415

Method: Method: Use any commands that can identify the hash value of a file.

  • MacOS - “shasum -a 256 pathtofile”
  • Windows - “certutil -hashfile pathtofile SHA256**”**

  1. Is the email attachment malicious? Yes

Method: Same indicators as stated in Phishing Email - Email from Paypal. In addition, the file attachment was malicious per the verdict in VirusTotal.