In this lab walkthrough, we will analyze a malicious phishing attack delivered through email and track its execution chain, from the initial SMTP traffic to the final payload execution. This scenario simulates a real-world attack where a user unknowingly receives an email with an attachment, leading to a series of system compromises. The investigation will focus on network forensics using Wireshark, reverse engineering techniques with IDA Pro, and shellcode analysis through scdbg.
We begin by examining the email exchange captured in a PCAP file, identifying the sender and recipient while dissecting the SMTP communication to reveal the nature of the email contents. Moving forward, we investigate the attached document, uncovering hidden payloads and obfuscated JavaScript that link to an external malicious server. By extracting and decoding artifacts, we trace the execution flow of the malware, analyzing how it downloads additional components and executes them within the victim’s system. As the investigation progresses, we shift to memory and process forensics, focusing on how the malicious components operate once executed. By analyzing the extracted CAB archive, analyzing DLLs, and emulating the payload, we identify key Windows API calls used to execute malicious actions, such as code injection, process manipulation, and network communication. The goal of this walkthrough is to provide a step-by-step breakdown of how attackers exploit common document-based vulnerabilities to compromise systems, evading detection through sophisticated techniques. This exercise will reinforce the importance of network monitoring, email security, and behavioral analysis in cybersecurity investigations.