Phishing Email to Malware Analysis

4 min readOct 24, 2023

Hello everyone,

The following article will discuss one technique attackers use to access a system inside an organisation and put malware on the network.

This article will assist a non-malware analyst in determining whether they are the target of an attacker.

Both email analysis and malware analysis will be covered at the same time.

Some Requirements:

Isolated Virtual environment: Windows 10 (used)
And of course, phishing EMail: https://www.malware-traffic-analysis.net/2023/07/07/index.html

Lets Start It:

Initially, Download the email and then upload it on https://app.phishtool.com/ for header analysis in better way.

Analysis of Email:

Phishtool will make it easier to read email headers. It provides all email header information in a nicer GUI manner that is simple to read and understand.

The sender information and return path are shown in the picture below. The Return-Path is crucial for analyzing phishing emails.

Let’s examine email security:
It demonstrates that DMARC and SPF policies are not up to standard. These policies must be current in order to prevent attackers from sending fake emails in the name of another organisation.

Always important are attachments because malware can be found there. Since that is evident.A zip file is attached to an email, and the utility returns hashes of the attachment that may be used to compare with a malware list that has been made public.

Testing the hashes with Virustotal:

https://www.virustotal.com/gui/file/f4f068ce78be6381eaaa55a7074d3770b6f175fa690527e9957a40dcddced8ff

As we can see this file is marked malicious with 48/63 security tools.

Sometimes the URLs in an email are fraudulent as well and might link victims to dangerous websites. Therefore, it is advised to examine every URL in an email.

Now its time to make your hands dirty:

Till now we are only analyzing the email, how malware entered into organization but now we will analyze the attachment (THE REAL VIRUS)

Before running the malware into own virtual environment, try to run it on online Sandbox environments. For this malware we have used https://analyze.intezer.com/ (Intezer) ,

WHY? Because, I LIKE IT

Unzip the attachments, we found two attachments:

Upload PO.pdf.exe to Intezer Sandbox:

Processes that are created by the malicious exe are:

IOCs detected are:

Lets try with one more analysis tool:

One method that can assist in obtaining comprehensive information about all malware’s destructive activity is hybrid analysis.

https://www.hybrid-analysis.com/sample/a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886/65354a06420bddf3e50c4245

It offers malware-useful MITRE ATTACK methods. It offers information on execution, persistence, initial access, and other topics.

Malicious Indicators:

File details:

Always keep an eye out for more crucial file data. This provides several significant file hashes, such as:

Import Hash (imphash): It is a hash of the file’s imported functions.
AuthentiHash: Microsoft uses the this hash to ensure that a portion of the PE file hasn’t been altered.