Phishing email investigation (Header, Attachment)

Header Analysis

In this example we have a phishing email impersonating CIBC, we will conduct a header investigation.

Right away we can see that email sender (CIBC-Banking.Service.Email.8@caib.com) does not match with cibc.com, and is already looking suspicious.

We now will open the .eml file of the email using a text editor, in this case I am using sublime text to inspect the email header.

We can see Return-Path is set to a different email in this case meztaz.logocec8@caib.com instead of CIBC-Banking.Service.Email.8@caib.com

If we look at the X-Sender IP or continue looking through the email headers
We’ll notice the IP address of 190.6.201.67 which we can further investigate

We can do a WHOIS lookup and we can see this IP address is location is in Honduras and is affiliated with CABLECOLOR which is not related to CIBC bank.

Attachment Analysis

In this example we are assuming we have already extracted the suspicious attachment, in this case it’s a file named quotation.iso.

Now we will get the hash of the file for further investigation.
On Windows PowerShell we can go to the file directory and run get-filehash cmdlet as in the following example:

get.filehash .\quotation.iso -algorithm sha256

Now that we have extracted the hash we can run it on reputation and malware analysis services.

We can see on VirusTotal 43/61 Security vendors have flagged this hash as malicious and the popular threat label for this hash is trojan.androm/ejzz

In the Details tab 

We can look when it was first submitted and other names of this file

We can safely conclude attachment is deemed a known malicious trojan.

Author: user

Leave a Reply

Your email address will not be published. Required fields are marked *