Phishing Analysis 2

What is the sending email address?

# open .eml in thunderbird
amazon@zyevantoby.cn

What is the recipient email address?

# open .eml in thunderbird
saintington73@outlook.com

What is the subject line of the email?

# open .eml in thunderbird
Your Account has been locked

What company is the attacker trying to imitate?

# open .eml in thunderbird
amazon

What is the date and time the email was sent? (As copied from a text editor)

From: Amazn <amazon@zyevantoby.cn>
To: saintington73 <saintington73@outlook.com>
Subject: Your Account has been locked
Date: Wed, 14 Jul 2021 01:40:32 +0900

Wed, 14 Jul 2021 01:40:32 +0900

What is the URL of the main call-to-action button?

https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Famaozn.zzyuchengzhika.cn%2F%3Fmailtoken%3Dsaintington73%40outlook.com&data=04%7C01%7C%7C70072381ba6e49d1d12d08d94632811e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637618004988892053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oPvTW08ASiViZTLfMECsvwDvguT6ODYKPQZNK3203m0%3D&reserved=0

Look at the URL using URL2PNG. What is the first sentence (heading) displayed on this site? (regardless of whether you think the site is malicious or not)

This web page could not be loaded.

When looking at the main body content in a text editor, what encoding scheme is being used?

base64

What is the URL used to retrieve the company's logo in the email?

# Decode base64 tex from .eml file
    <TD width="600" align="center" valign="top" 
      style="width: 600px;">&nbsp;<IMG width="749" height="67" style="width: 100px;" 
      alt="" src="https://images.squarespace-cdn.com/content/52e2b6d3e4b06446e8bf13ed/1500584238342-OX2L298XVSKF8AO6I3SV/amazon-logo?format=750w&amp;content-type=image%2Fpng" 
      border="0" hspace="0">                   
      <TABLE width="100%" class="templateContainer" border="0" cellspacing="0" 
      cellpadding="0">

For some unknown reason one of the URLs contains a Facebook profile URL. What is the name of this user when viewing their profile?

# https%3A%2F%2Fwww.facebook.com%2Famir.boyka.7
Amir Bigboss
PreviousPowerShell Analysis - KeyloggerNextILOVEYOU

Last updated

Was this helpful?