 I'm BD Stevens, a senior handler with the internet storm center. In this video we are going to look at a phishing email with attachment. Rieder Carlos submitted an email that he received with a phishing attachment. So it's an MSG file and MSG files or compound binary files or OLE files like I used to call them and as such you can analyze them with my tool OLE dump. If you just run OLE dump here on the MSG file then you get a list of all the streams in the site. MSG file and you can see here several streams that starts with attached. So one of them here contains the attachment and the others contain information about the attachment. Now I have a plugin that helps you decode here those numbers because those numbers give you information about the type of data that is inside the stream. So I'm using option B to run my MSG plugin and I'm going to pipe this through less because this will produce more output. So this is the first stream, the second stream here and here you can see that the plugin was able to decode this data here 1 2 1 0 sorry 1 2 means that this is a binary data unknown it's a question mark stream 3 also binary data but this is the attachment. You can see here HTML language and so on. Stream 4 uni sends for unicode this is the attachment filename payment n dot hdm stream 5 again unicode the attachment long filename so payment notification dot pdf dot hdml. So the adversaries here wants us to believe that this is a pdf document while it is actually an hdml document. So let's look inside stream 3 I'm going to quit. So I now run early dump I select stream 3 from the email and then you get an hexadecimal ASCII dump and here you can see that this is indeed hdml so I can dump this instead of doing an ASCII dump I can just do a binary dump with option D and here you can see the hdml now just to show you if I would pipe this into pdf id if I believe that this is a pdf and run this into pdf id then pdf id would tell me that this is not a pdf document. So let's take a look back at the hdml code and here we can see several URLs to the standard bank of South Africa and if you search further here you will find this URL this one here is not a standard URL this is a link shortener and if you would follow that link then you would end up at a page like this here which simulates a login for the standard bank of South Africa. Now this here was quite easy to analyze because it's short it's just one screen long and we can easily find back the URLs. If it is longer you could for example grab for HTTP not making it case sensitive with option I and then you get the lines with all HTTP string some false positives like here that's not a URL and for that I actually have a tool which is called RE search and RE search is just a regular expression search RE stands for regular expression and if we look at the help there are a lot of options but the main point is that RE search has a library of regular expressions that I use often like this one here for Bitcoin addresses for email for URLs and this is the regular expression we want so that we can extract regular expressions from this phishing hdml so I'm going to run RE search and I'm going to say that I searched for a regular expression with name URL and then as you can see here I get all URLs so this is easier to do when your document is quite long or if it's hard to identify the URLs.