Email body analysis

The email body is where a malicious payload may be delivered to the recipient either as a link or an attachment.

Files

If the email has an attachment: Obtain the attachment safely. Accomplishing this is easy in Thunderbird by using the Save button. Get its hash and check the file’s reputation with the hash to see if it’s a known malicious document.

• Talos File Reputation

• VirusTotal

• Reversing Labs file reputation

• Norimaci – Simple And Lightweight Malware Analysis Sandbox For macOS

URLs

• URL Extractor

• CyberChef Extract URLs recipe

Note the root domain for the extracted URLs and do an analysis on the root domain as well. Also check the reputation of the URLs and root domain.