VirusTotal provides a lot of information to complete our analysis!
Sometimes, you might need to enumerate its website and discover extra files, download and analyze them, especially if there are any logs or zip files.
This is where the malicious payload may be delivered to the recipient either as a link or an attachment.
1) Links can be extracted manually, either directly from an HTML formatted email or by sifting through the raw email header.
Link manually from an email by right-clicking the link and choosing Copy Link Location. or
The same can be accomplished with the assistance of a tool.
Tip: It's important to note the root domain for the extracted URLs. You will need to perform an analysis on the root domain as well.
2) After extracting the URLs, the next step is to check the reputation of the URLs and root domain. You can use any of the tools mentioned in the previous task to aid you with this. (Talos File Reputation)
If the email has an attachment, you'll need to obtain the attachment safely. Accomplishing this is easy in Thunderbird by using the Save button.
After you have obtained the attachment, you can then get its hash. You can check the file's reputation with the hash to see if it's a known malicious document.
Example:user@machine$ sha256sum Double\ Jackpot\ Slots\ Las\ Vegas.dot
We can upload an attachment we obtained from a potentially malicious email and see what URLs it attempts to communicate with, what additional payloads are downloaded to the endpoint, persistence mechanisms, Indicators of Compromise (IOCs), etc.