Blog

Detect Malware in Phishing Email

Pentesting

Recently I leaned about investigating Phishing Email.
Receiving a suspicious email, I'm going to check the contents and attachments without clicking some links. Of course to learn about that more.


1. Open Email's source and copy the encoded text of suspicious file attached.

For example, if you use Gmail, click the three dots menu on the top-right of the message and press the "Show original". You should see the source code of the message.

Assuming this message has a suspicious file attached, I would expect it to appear as Base64 in the source. So copy the Base64 text of the attachment.


2. Change Base64 to SHA256

The above Base64 encoded text needs to be turned to SHA256 for detecting malware in online tools which I'll mention in the next section.
CyberChef is useful to do so.

After that, copy the SHA256 text hash.


3. Analyze the suspicious file

Use an online malware detection tool like VirusTotal, Cisco Talos or your favorite to analyze the suspicious file.

Paste the SHA256 hash into the search form. It will be analyzed whether malware exists or not.

If you got malware, add the message sender to blocklist.