tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
60 lines
2.2 KiB
Plaintext
60 lines
2.2 KiB
Plaintext
============================================================
|
|
Email & Phishing Analysis
|
|
============================================================
|
|
|
|
Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links.
|
|
|
|
────────────────────────────────────────────────────────────
|
|
|
|
Step 1: Header Analysis
|
|
Tools: emldump-py, mail-parser
|
|
Parse SMTP headers: emldump.py <email.eml>. Check:
|
|
Received headers (delivery path), Return-Path vs From
|
|
(spoofing), SPF/DKIM results, X-Mailer.
|
|
|
|
$ emldump.py message.eml
|
|
$ python3 -c "import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)"
|
|
|
|
Step 2: Attachment Extraction
|
|
Tools: emldump-py, msg-extractor
|
|
Extract attachments: emldump.py <email.eml> -d. For
|
|
MSG format: msg-extractor <email.msg>. List all
|
|
attachments with types and sizes.
|
|
|
|
$ emldump.py message.eml
|
|
$ extract_msg <email.msg>
|
|
|
|
Step 3: Attachment Triage
|
|
Tools: file, trid, yara, sha256sum
|
|
For each attachment: identify type, compute hash, scan
|
|
with YARA. Route to appropriate workflow: Document
|
|
Analysis (Office/PDF), Static Analysis (PE),
|
|
JavaScript Deobfuscation (JS/HTML).
|
|
|
|
$ file specimen.exe
|
|
$ trid document.doc
|
|
$ yara-rules specimen.bin
|
|
|
|
Step 4: Link Analysis
|
|
Tools: unfurl
|
|
Extract all URLs from email body and headers. Use
|
|
Unfurl to decompose URLs (reveal tracking pixels,
|
|
redirect chains, encoded parameters).
|
|
|
|
$ unfurl parse <url>
|
|
|
|
Step 5: Payload Analysis
|
|
Analyze extracted attachments using the appropriate
|
|
workflow. Common patterns: Office doc with macro →
|
|
downloads PE, PDF with link → credential harvester,
|
|
HTML attachment → phishing page.
|
|
|
|
Step 6: Document IOCs
|
|
Record: sender address and IP, subject line,
|
|
attachment names and hashes, all URLs, C2/phishing
|
|
domains, email infrastructure (mail server names).
|
|
|
|
────────────────────────────────────────────────────────────
|
|
Tip: 'fhelp cheat <tool>' for full examples
|
|
'Ctrl+G' for interactive cheatsheet browser
|