E-mail Analysis - A LetsDefend Challenge
Analysis of a suspicious e-mail file to find more information about a possible threat.
Summary
Your email address has been leaked and you received an email from Paypal in German. Try to analyze the suspicious email.
File link: Download
Password: infected
This challenge was prepared by @Fuuji
Information we should find:
- What is the return path of the email?
- What is the domain name of the url in this mail?
- Is the domain mentioned in the previous question suspicious?
- What is the body SHA-256 of the domain?
- Is this email a phishing email?
Write-up
First step is to unzip the file and open the e-mail so we can have a better look at it.
Transcription:
Hello !
You are customer #12819202501 of AU Paypal Rewards and we are waiting for your confirmation since 08/09/2022. This delivery is for you. To activate delivery, please confirm..
your account information
- Customer: Krystyalia
- Email: Krystyalia@gmail.com
- Reward: PayPal prepaid card 1000
[button] Continue delivery
Inspecting the button we can find the URL where the user is supposed to be redirected to - hxxps://storage[.]googleapis[.]com/hqyoqzatqthj/aemmfcylvxeo[.]html#QORHNZC44FT4[.]QORHNZC44FT4?dYCTywdcxr3jcxxrmcdcKBdmc5D6qfcJVcbbb4M.
A simply analysis on VirusTotal is enough to tell it’s a possible malicious URL
We can also curl the domain hxxps://storage[.]googleapis[.]com to compute its sha256 value.
Now, by opening the header of the e-mail in a text editor, we can do a better analysis, it is possible to get: IP adress of the sender, and return-path — A return path is used to specify where bounced emails are sent and is placed in the email header. It’s an SMTP address separate from the sending address.
We can now conclude the analysis by stating it is a phishing e-mail, its main objective is to use a social engineering technique to redirect users to a malicious domain in order to collect data: possible credentials, and information from the user the e-mail is directed at.
Thank you for reading!
