Jasper Alblas
TryHackMe: Phishing Analysis Tools (SOC Level 1)
Welcome to this walkthrough of the Phishing Analysis Tools on TryHackMe – great job coming this far. We have learned about phishing emails and practiced identifying them in the last two rooms. Now we get to learn about some tools that will make our lives easier.
Room URL:
https://tryhackme.com/room/phishingemails3tryoe
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Table of Contents
Task 1: Introduction
Remember from Phishing Room 1; we covered how to manually sift through the email raw source code to extract information.
In this room, we will look at various tools that will aid us in analyzing phishing emails. We will:
- Look at tools that will aid us in examining email header information.
- Cover techniques to obtain hyperlinks in emails, expand the URLs if they’re URL shortened.
- Look into tools to give us information about potentially malicious links without directly interacting with a malicious link.
- Cover techniques to obtain malicious attachments from phishing emails and use malware sandboxes to detonate the attachments to understand further what the attachment was designed to do.
Warning: The samples throughout this room contain information from actual spam and/or phishing emails. Proceed with caution if you attempt to interact with any IP, domain, attachment, etc.
Questions
Read the above.
Answer: No answer needed
Task 2: What information should we collect?
In this task, we will outline the steps performed when analyzing a suspicious or malicious email.
Below is a checklist of the pertinent information an analyst (you) is to collect from the email header:
- Sender email address
- Sender IP address
- Reverse lookup of the sender IP address
- Email subject line
- Recipient email address (this information might be in the CC/BCC field)
- Reply-to email address (if any)
- Date/time
Afterward, we draw our attention to the email body and attachment(s) (if any).
Below is a checklist of the artifacts an analyst (you) needs to collect from the email body:
- Any URL links (if an URL shortener service was used, then we’ll need to obtain the real URL link)
- The name of the attachment
- The hash value of the attachment (hash type MD5 or SHA256, preferably the latter)
Warning: Be careful not to click on any links or attachments in the email accidentally.
Questions
Read the above.
Answer: No answer needed
Task 3: Email header analysis
When investigating phishing emails, some details—like suspicious display names or odd formatting—are easy to see directly in your email client. But critical information such as the sender’s IP address, delivery path, and reply-to configuration can only be found in the email header.
In Phishing Emails 1, we looked at how to manually inspect raw email headers. Below are several tools that make this process faster, clearer, and more reliable.
Email Header Analysis Tools
1. Google Admin Toolbox – Messageheader
This tool analyzes SMTP headers to reveal delivery delays, routing issues, and potential misconfigurations.
Usage: Copy/paste the full email header into the tool.
https://toolbox.googleapps.com/apps/messageheader/analyzeheader
2. Message Header Analyzer
A simple and effective alternative for parsing and visualizing header information.
https://mha.azurewebsites.net/
3. Mailheader.org
Another easy-to-use option for extracting structured insights from raw headers.
Tip: Different tools highlight different details, so using more than one often provides a clearer picture.
A Quick Note on MTAs and MUAs
A Message Transfer Agent (MTA) handles the transfer of emails between mail servers.
A Mail User Agent (MUA) is the client you use to read email (Gmail, Outlook, Yahoo! Mail, etc.).
Understanding both helps when interpreting header information.
Tools for Investigating Sender IPs & Suspicious URLs
Once you extract an IP address or URL from an email, these tools help you assess risk and reputation:
IP Analysis
IPinfo.io
Provides location information, ownership data, and insights that can help identify suspicious or fraudulent IPs.
https://ipinfo.io/
URL Scanning
URLScan.io
Automatically visits a URL in a sandbox environment and records:
- Requested domains and IPs
- Loaded scripts and resources
- DOM content
- Cookies
- A screenshot of the page
If the site impersonates a known brand, it flags it as potentially malicious.
https://urlscan.io/
Alternatives: URL2PNG, Wannabrowser (for safe screenshots and previews).
Reputation Checking
Talos Reputation Center
Cisco’s threat intelligence portal for checking the reputation of IPs, domains, and URLs.
https://talosintelligence.com/reputation
Questions
What is the official site name of the bank that capitai-one.com tried to resemble?
Capital One is a large US Bank, and is the bank that the attackers are trying to mimic with the URL capitai-one.com
Answer: capitalone.com
Task 4: Email body analysis
Once you’ve reviewed the email headers, the next step is to analyze the email body—the place where attackers typically deliver their payloads, either through malicious links or dangerous attachments.
Extracting and Analyzing Links
Links can be obtained manually by viewing an HTML email or by inspecting the raw source. A simple method is to right-click a hyperlink in the email and choose “Copy Link Location.”
However, tools can automate this process and reduce the risk of missing hidden URLs.
URL Extractor
A lightweight tool where you can paste the raw email text and extract all URLs automatically.
https://www.convertcsv.com/url-extractor.htm
URLs appear in Step 3 after inputting your text.
CyberChef – Extract URLs Recipe
CyberChef can identify and extract URLs from complex email bodies or encoded content using its built-in “Extract URLs” operation.
Tip: Always pay attention to the root domain of any extracted URL. You will need to check the reputation of both the full URL and its base domain.
After extraction, analyze each URL using reputation and sandbox tools such as URLScan.io, Talos Reputation Center, or IPinfo.io (listed in the previous section).
Handling Email Attachments Safely
If the phishing email contains an attachment, the next step is to obtain the file—safely.
Clients like Thunderbird make this easy with a “Save” button that downloads the attachment without opening it.
Once saved, calculate the file’s SHA-256 hash, which uniquely identifies it:
sha256sum Double\ Jackpot\ Slots\ Las\ Vegas.dot
c650f397a9193db6a2e1a273577d8d84c5668d03c06ba99b17e4f6617af4ee83 Double Jackpot Slots Las Vegas.dotYou can then submit the hash to file reputation services to determine whether the attachment is known to be malicious.
File Reputation & Malware Scanning Tools
Cisco Talos File Reputation
https://talosintelligence.com/talos_file_reputation
Maintains reputation information for billions of files used by Cisco AMP, FirePower, ClamAV, and Snort. Hash-only lookups help quickly identify known malware.
VirusTotal
https://www.virustotal.com/gui/
Aggregates dozens of antivirus engines and sandbox analyses to detect suspicious files and URLs.
Reversing Labs
A well-known malware intelligence and file reputation provider worth mentioning for deeper analysis. They have a file reputation service.
By combining link extraction, URL reputation checks, safe attachment handling, and file hash lookups, you can build a reliable workflow for analyzing malicious email content and uncovering threats hidden inside phishing messages.
Questions
How can you manually get the location of a hyperlink?
You right click the hyperlink in the mail and select Copy Link Location.
Answer: Copy Link Location
Task 5: Malware Sandbox
The good news for defenders is that we don’t need deep malware reverse-engineering skills to understand what a suspicious email attachment does. Instead, we can rely on malware sandbox services—secure, isolated environments that execute the file and record its behavior.
By uploading a potentially malicious attachment to one of these services, we can observe:
- What domains or IPs the file attempts to contact
- Additional payloads it tries to download
- Persistence mechanisms it attempts to establish
- Host changes (registry edits, file writes, processes spawned)
- Indicators of Compromise (IOCs)
This gives defenders actionable insights without exposing their own systems to risk.
Below are some widely used malware sandbox platforms:
Any.Run
https://app.any.run/
A fully interactive sandbox that lets you watch malware behavior in real time.
Per the site: “Analyze network, file, module, and registry activity. Interact with the OS directly from a browser and see feedback immediately.”
Hybrid Analysis
https://www.hybrid-analysis.com/
A free community malware analysis service.
Per the site: “Detects and analyzes unknown threats using a unique Hybrid Analysis technology.”
Joe Sandbox
https://www.joesecurity.org/
A feature-rich platform offering deep behavioral insights.
Per the site: “Supports live interaction, URL analysis, AI-based phishing detection, Yara & Sigma rules, MITRE ATT&CK mapping, threat hunting, dynamic instrumentation, execution graphs, anonymization, and more.”
Questions
Read the above.
Answer: No answer needed.
Task 6: PhishTool
Automating Phishing Analysis with PhishTool
To wrap up our phishing-analysis toolkit, let’s look at one of the most powerful platforms available to defenders: PhishTool.
🔍 What Is PhishTool?
Per the site:
“Whether you’re a security researcher investigating a new phish-kit, a SOC analyst responding to user-reported phishing, a threat intelligence analyst collecting IoCs, or an investigator dealing with email-borne fraud — PhishTool combines threat intelligence, OSINT, email metadata and battle-tested auto-analysis pathways into one powerful phishing response platform.”
There is a free community edition available, making it accessible for learning and day-to-day defensive analysis.
Uploading and Analyzing a Malicious Email
The creator of the room on THM has uploaded a malicious email into PhishTool and connected to his VirusTotal account using a free community API key. PhishTool immediately parsed the email and extracted all essential metadata:
- Sender and recipient information
- Timestamp
- Originating IP + reverse DNS
- SMTP relay chain
- X-headers
- IP and domain intelligence
The interface allows you to view both the text and HTML versions of the email body, making it easy to inspect obfuscation or hidden links.
Attachments & URLs
PhishTool divides URL and attachment analysis into two panes:
URL Pane
Shows all detected URLs.
In this example, no URLs were present.
Attachment Pane
Displays attachment details—in this case, a malicious ZIP file.
PhishTool extracts key details automatically:
- File name
- SHA256 hash
- Additional metadata
- VirusTotal feedback (if you connect an API key)
You can also open an action menu to perform deeper inspection, such as viewing strings, metadata, or downloading the file for sandbox analysis.
VirusTotal Integration
With the free API key connected, PhishTool automatically retrieves VirusTotal’s initial verdict.
For deeper inspection, analysts can manually search the hash on VirusTotal’s site.
Case Resolution & Classification
PhishTool allows you to mark email submissions as malicious and add analyst notes.
Once resolved, you can apply:
- Tags
- Verdicts
- Classification codes (e.g., Whaling for high-value targets)
Classification codes are useful because not all phishing emails fall into the same category; some target regular users, while others aim at executives like CFOs.
In this case, I didn’t complete deeper analysis on the domains, IP addresses, or the attachment beyond the basics, so only minimal classification codes were applied. The attachment could be uploaded to a malware sandbox for a full behavioral profile.
PhishTool brings together metadata analysis, threat intelligence, and automated workflows, making it an essential resource for SOC analysts and researchers handling phishing investigations.
Questions
Look at the Strings output. What is the name of the EXE file?
The answer can be found on the strings output screenshot:
Answer: 454326_PDF.exe
Task 7: Phishing Case 1
Scenario: You are a Level 1 SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email for your team to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails.
Task: Use the tools discussed throughout this room (or use your own resources) to help you analyze each email header and email body.
Questions
What brand was this email tailored to impersonate?
Ok, let’s go. You should see the Phish3Case1.eml file on the machines desktop. We can double click it to have a look at the email itself:
It seems obvious they are trying to mimic Netflix!
Answer: Netflix
What is the From email address?
Now we can use any of the tools introduced in task 3 to help us answer this question.
Let’s use https://toolbox.googleapps.com/apps/messageheader/analyzeheader.
Go ahead and copy the source code of the email (View -> Message Source, or Ctrl + U). Paste it into the above website. You will get a bunch of data extracted from the source:
In the top you will find the from email address. Definitely does not sound like Netflix 🙂
Answer: JGQ47wazXe1xYVBrkeDg-JOg7ODDQwWdR@JOg7ODDQwWdR-yVkCaBkTNp.gogolecloud.com
What is the originating IP? Defang the IP address.
I actually could not find this on Googles tool, so I switched to the other tool:
https://mailheader.org/show.cgi
Copy the source code again and you will see more interesting results, which includes the mail server to IP field:
Now use CyberChef to defang the IP to a defanged format:
https://gchq.github.io/CyberChef/#recipe=Defang_IP_Addresses()&input=MTBbLl0xOTdbLl0zN1suXTIzNA
Answer: 209[.]85[.]167[.]226
From what you can gather, what do you think will be a domain of interest? Defang the domain.
To make it interesting, let’s use the final of the three websites discussed in part 3:
Here, something that stood out to me is the following X-Relaying-Domain field.
It has an interesting domain for sure! In defanged format it is etekno[.]xyz.
Answer: etekno[.]xyz
What is the shortened URL? Defang the URL.
If you still have the original email open, you can easily spot the read button. Right click on it and select “Copy Link Location”. This is a shortened URL, which we can defang with CyberChef.
Answer: hxxps[://]t[.]co/yuxfZm8KPg?amp=1
Task 8: Phishing Case 2
Scenario: You are a Level 1 SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email for your team to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails.
A malicious attachment from a phishing email inspected in the previous Phishing Room was uploaded to Any Run for analysis.
Task: Investigate the analysis and answer the questions below.
Link: https://app.any.run/tasks/8bfd4c58-ec0d-4371-bfeb-52a334b69f59
Questions
What does AnyRun classify this email as?
Start by clicking the AnyRun link to see all results. You might remember that AnyRun is a service that features a fully interactive sandbox that lets us watch malware behavior in real time. This means that we can look at the results of uploading the malware straight away by clicking the link.
You are met by the following screen:
Moving the mouse will show screenshots.
Now, if you look carefully at the top right of the screen, it says “suspicious activity”, which is the answer. Here is a screenshot of the relevant section:
Answer: Suspicious activity
What is the name of the PDF file?
Right below the orange banner, it says the file name. See above.
Answer: Payment-updateid.pdf
What is the SHA 256 hash for the PDF file?
The SHA256 hash is not immediately visible, but go ahead and click the “Text report” button, also found on the top right section. This will show a text report with more details:
Answer: CC6F1A04B10BCB168AEEC8D870B97BD7C20FC161E8310B5BCE1AF8ED420E2C24
What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)
In the same text report, scroll down all the way to the “Connections” section. Here, two connections are marked as malicious:
Copy the IP adresses into CyberChef to defang them:
https://gchq.github.io/CyberChef/#recipe=Defang_IP_Addresses()&ieol=CRLF&oeol=CRLF
Answer: 2[.]16[.]107[.]24,2[.]16[.]107[.]83
What Windows process was flagged as Potentially Bad Traffic?
Scroll all the way down to the “Threats” section:
Answer: svchost.exe
Task 9: Phishing Case 3
Scenario: You are a Level 1 SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email for your team to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails.
A malicious attachment from a phishing email inspected in the previous Phishing Room was uploaded to Any Run for analysis.
Task: Investigate the analysis and answer the questions below.
Link: https://app.any.run/tasks/82d8adc9-38a0-4f0e-a160-48a5e09a6e83
Questions
What is this analysis classified as?
Alright, let’s do this one final time. Open the AnyRun URL. Focus on the summary section on the top right for now.
The file is marked as “Malicious Activity”.
Answer: Malicious Activity
What is the name of the Excel file?
See above once again. The name is CBJ200620039539.xlsx.
Answer: CBJ200620039539.xlsx
What is the SHA 256 hash for the file?
Open up the text report, as we did in the last task.
Answer: 5F94A66E0CE78D17AFC2DD27FC17B44B3FFC13AC5F42D3AD6A5DCFB36715F3EB
What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)
Find the network activity section and see underneath DNS Requests:
Defang those in CyberChef:
Enter the defanged URLs in the correct format.
Answer: biz9holdings[.]com,findresults[.]site,ww38[.]findresults[.]site
What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)
This time, look at the HTTP Connections just above the DNS requests we looked at earlier:
Defang, and put them in the right order. Remember to remove the port numbers if you are following along 🙂
Answer: 75[.]2[.]11[.]242,103[.]224[.]182[.]251,204[.]11[.]56[.]48
What vulnerability does this malicious attachment attempt to exploit?
In the same report, you can find the relevant vulnerability at the top:
Remember, CVE numbers (Common Vulnerabilities and Exposures) are unique identifiers for publicly known software security flaws.
Answer: CVE-2017-11882
Task 10: Conclusion
The tools covered in this room are just some that can help you with analyzing phishing emails.
As a defender, you’ll come up with your own preferred tools and techniques to perform manual and automated analysis.
Here are a few other tools that we have not covered in detail within this room that deserve a shout:
- https://mxtoolbox.com
- https://phishtank.com
- https://www.spamhaus.org
- https://github.com/ninoseki/eml_analyzer
That’s all, folks! Happy Hunting!
Questions
Read the above.
Answer: No answer needed.
Congratulations on completing Phishing Analysis Tools!!!
Congratulations on completing Phishing Analysis Tools. I really enjoyed that the room was focused so much on practical exercises. I hope you also feel that you are now more comfortable analyzing phishing mails.
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Find my other TryHackMe SOC Level 1 Path walkthrougs here.
Find my other walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
[…] Phishing Analysis Tools […]