irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/email-analysis-workflow.md
+54
View File
@@ -0,0 +1,54 @@
# Email & Phishing Analysis
> Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links.
## Steps
### Step 1: Header Analysis
**Tools:** [[tools/emldump-py|emldump-py]], [[tools/mail-parser|mail-parser]]
Parse SMTP headers: emldump.py <email.eml>. Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer.
```bash
emldump.py message.eml
python3 -c "import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)"
```
### Step 2: Attachment Extraction
**Tools:** [[tools/emldump-py|emldump-py]], [[tools/msg-extractor|msg-extractor]]
Extract attachments: emldump.py <email.eml> -d. For MSG format: msg-extractor <email.msg>. List all attachments with types and sizes.
```bash
emldump.py message.eml
extract_msg <email.msg>
```
### Step 3: Attachment Triage
**Tools:** [[tools/file|file]], [[tools/trid|trid]], [[tools/yara|yara]], [[tools/sha256sum|sha256sum]]
For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML).
```bash
file specimen.exe
trid document.doc
yara-rules specimen.bin
```
### Step 4: Link Analysis
**Tools:** [[tools/unfurl|unfurl]]
Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters).
```bash
unfurl parse <url>
```
### Step 5: Payload Analysis
Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page.
### Step 6: Document IOCs
Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names).
#email #phishing #eml #msg #attachments #headers #workflow