With EmailAnalyzer you can able to analyze your suspicious emails. You can extract headers, links and hashes from the .eml file
usage: email-analyzer.py [-h] -f FILENAME [-H] [-d] [-l] [-a] [-i] [-o OUTPUT]
options:
-h, --help show this help message and exit
-f FILENAME, --filename FILENAME
Name of the EML file
-H, --headers To get the Headers of the Email
-d, --digests To get the Digests of the Email
-l, --links To get the Links from the Email
-a, --attachments To get the Attachments from the Email
-i, --investigate Activate if you want an investigation
-o OUTPUT, --output OUTPUT
Name of the Output file (Only HTML or JSON format supported)
This command will get you Headers, Links, Attachments, and Digests with Investigations:
python3 email-analyzer.py -f <eml file>
If you want to extract the outputs to a file you can use this commands:
python3 email-analyzer.py -f <eml file> -o report.html
python3 email-analyzer.py -f <eml file> -o report.json
Only supported JSON and HTML formats currently.
python3 email-analyzer.py -f <eml file> --headers
or
python3 email-analyzer.py -f <eml file> -H
██╗ ██╗███████╗ █████╗ ██████╗ ███████╗██████╗ ███████╗
██║ ██║██╔════╝██╔══██╗██╔══██╗██╔════╝██╔══██╗██╔════╝
███████║█████╗ ███████║██║ ██║█████╗ ██████╔╝███████╗
██╔══██║██╔══╝ ██╔══██║██║ ██║██╔══╝ ██╔══██╗╚════██║
██║ ██║███████╗██║ ██║██████╔╝███████╗██║ ██║███████║
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═════╝ ╚══════╝╚═╝ ╚═╝╚══════╝
_________________________________________________________
[received]
from TEST.TEST.PROD.OUTLOOK.COM (2603:10a6:20b:4f2::13)
by TEST.TEST.PROD.OUTLOOK.COM with HTTPS; Fri, 25 Nov 2022
12:36:39 +0000
_________________________________________________________
_________________________________________________________
[content-type]
multipart/alternative; boundary=335b23d5689bd75ab002f9c46a6e8023c265d60dd923308dcc7eb7a2cf25
_________________________________________________________
_________________________________________________________
[date]
Fri, 25 Nov 2022 12:36:36 +0000 (UTC)
_________________________________________________________
_________________________________________________________
[subject]
How to use EmailAnalyzer
_________________________________________________________
_________________________________________________________
[reply-to]
[email protected]
_________________________________________________________
_________________________________________________________
[from]
"Admin"<[email protected]>
_________________________________________________________
_________________________________________________________
[to]
me
_________________________________________________________
_________________________________________________________
[x-sender-ip]
127.0.0.1
_________________________________________________________
python3 mail-analyzer.py -f <eml file> --headers --investigate
or
python3 mail-analyzer.py -f <eml file> -Hi
█████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗███████╗██╗███████╗
██╔══██╗████╗ ██║██╔══██╗██║ ╚██╗ ██╔╝██╔════╝██║██╔════╝
███████║██╔██╗ ██║███████║██║ ╚████╔╝ ███████╗██║███████╗
██╔══██║██║╚██╗██║██╔══██║██║ ╚██╔╝ ╚════██║██║╚════██║
██║ ██║██║ ╚████║██║ ██║███████╗██║ ███████║██║███████║
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝╚═╝╚══════╝
_________________________________________________________
[X-Sender-IP]
Virustotal:
https://www.virustotal.com/gui/search/127.0.0.1
Abuseipdb:
https://www.abuseipdb.com/check/127.0.0.1
_________________________________________________________
_________________________________________________________
[Spoof Check]
Reply-To:
[email protected]
From:
[email protected]
Conclusion:
Reply Address and From Address is NOT Same. This mail may be SPOOFED.
_________________________________________________________
python3 email-analyzer.py -f <eml file> --digests
or
python3 email-analyzer.py -f <eml file> -d
██████╗ ██╗ ██████╗ ███████╗███████╗████████╗███████╗
██╔══██╗██║██╔════╝ ██╔════╝██╔════╝╚══██╔══╝██╔════╝
██║ ██║██║██║ ███╗█████╗ ███████╗ ██║ ███████╗
██║ ██║██║██║ ██║██╔══╝ ╚════██║ ██║ ╚════██║
██████╔╝██║╚██████╔╝███████╗███████║ ██║ ███████║
╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚══════╝ ╚═╝ ╚══════╝
_________________________________________________________
[File MD5]
81dc9bdb52d04dc20036dbd8313ed055
_________________________________________________________
_________________________________________________________
[File SHA1]
7110eda4d09e062aa5e4a390b0a572ac0d2c0220
_________________________________________________________
_________________________________________________________
[File SHA256]
03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
_________________________________________________________
_________________________________________________________
[Content MD5]
827ccb0eea8a706c4c34a16891f84e7b
_________________________________________________________
_________________________________________________________
[Content SHA1]
8cb2237d0679ca88db6464eac60da96345513964
_________________________________________________________
_________________________________________________________
[Content SHA256]
5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5
_________________________________________________________
python3 email-analyzer.py -f <eml file> --digests --investigate
or
python3 email-analyzer.py -f <eml file> -di
█████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗███████╗██╗███████╗
██╔══██╗████╗ ██║██╔══██╗██║ ╚██╗ ██╔╝██╔════╝██║██╔════╝
███████║██╔██╗ ██║███████║██║ ╚████╔╝ ███████╗██║███████╗
██╔══██║██║╚██╗██║██╔══██║██║ ╚██╔╝ ╚════██║██║╚════██║
██║ ██║██║ ╚████║██║ ██║███████╗██║ ███████║██║███████║
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝╚═╝╚══════╝
_________________________________________________________
[File MD5]
Virustotal:
https://www.virustotal.com/gui/search/81dc9bdb52d04dc20036dbd8313ed055
_________________________________________________________
_________________________________________________________
[File SHA1]
Virustotal:
https://www.virustotal.com/gui/search/7110eda4d09e062aa5e4a390b0a572ac0d2c0220
_________________________________________________________
_________________________________________________________
[File SHA256]
Virustotal:
https://www.virustotal.com/gui/search/03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
_________________________________________________________
_________________________________________________________
[Content MD5]
Virustotal:
https://www.virustotal.com/gui/search/827ccb0eea8a706c4c34a16891f84e7b
_________________________________________________________
_________________________________________________________
[Content SHA1]
Virustotal:
https://www.virustotal.com/gui/search/8cb2237d0679ca88db6464eac60da96345513964
_________________________________________________________
_________________________________________________________
[Content SHA256]
Virustotal:
https://www.virustotal.com/gui/search/5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5
_________________________________________________________
python3 email-analyzer.py -f <eml file> --links
or
python3 email-analyzer.py -f <eml file> -l
██╗ ██╗███╗ ██╗██╗ ██╗███████╗
██║ ██║████╗ ██║██║ ██╔╝██╔════╝
██║ ██║██╔██╗ ██║█████╔╝ ███████╗
██║ ██║██║╚██╗██║██╔═██╗ ╚════██║
███████╗██║██║ ╚████║██║ ██╗███████║
╚══════╝╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝
[1]->https://example.com
[2]->https://testlinks.com/campaing/123124
python3 email-analyzer.py -f <eml file> --links --investigate
or
python3 email-analyzer.py -f <eml file> --li
█████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗███████╗██╗███████╗
██╔══██╗████╗ ██║██╔══██╗██║ ╚██╗ ██╔╝██╔════╝██║██╔════╝
███████║██╔██╗ ██║███████║██║ ╚████╔╝ ███████╗██║███████╗
██╔══██║██║╚██╗██║██╔══██║██║ ╚██╔╝ ╚════██║██║╚════██║
██║ ██║██║ ╚████║██║ ██║███████╗██║ ███████║██║███████║
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝╚═╝╚══════╝
_________________________________________________________
[1]
VirusTotal:
https://www.virustotal.com/gui/search/example.com
UrlScan:
https://urlscan.io/search/#example.com
_________________________________________________________
_________________________________________________________
[2]
VirusTotal:
https://www.virustotal.com/gui/search/testlinks.com/campaing/123124
UrlScan:
https://urlscan.io/search/#testlinks.com/campaing/123124
_________________________________________________________
python3 email-analyzer.py -f <eml file> --attachments
or
python3 email-analyzer.py -f <eml file> -a
█████╗ ████████╗████████╗ █████╗ ██████╗██╗ ██╗███████╗
██╔══██╗╚══██╔══╝╚══██╔══╝██╔══██╗██╔════╝██║ ██║██╔════╝
███████║ ██║ ██║ ███████║██║ ███████║███████╗
██╔══██║ ██║ ██║ ██╔══██║██║ ██╔══██║╚════██║
██║ ██║ ██║ ██║ ██║ ██║╚██████╗██║ ██║███████║
╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝
[1]->example.pdf
_________________________________________________________
[2]->malicious.pdf
_________________________________________________________
python3 email-analyzer.py -f <eml file> --attachments --investigate
or
python3 email-analyzer.py -f <eml file> -ai
█████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗███████╗██╗███████╗
██╔══██╗████╗ ██║██╔══██╗██║ ╚██╗ ██╔╝██╔════╝██║██╔════╝
███████║██╔██╗ ██║███████║██║ ╚████╔╝ ███████╗██║███████╗
██╔══██║██║╚██╗██║██╔══██║██║ ╚██╔╝ ╚════██║██║╚════██║
██║ ██║██║ ╚████║██║ ██║███████╗██║ ███████║██║███████║
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝╚═╝╚══════╝
_________________________________________________________
- example.pdf
Virustotal:
[Name Search]->https://www.virustotal.com/gui/search/example.pdf
[MD5]->https://www.virustotal.com/gui/search/81dc9bdb52d04dc20036dbd8313ed055
[SHA1]->https://www.virustotal.com/gui/search/7110eda4d09e062aa5e4a390b0a572ac0d2c0220
[SHA256]->https://www.virustotal.com/gui/search/03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
_________________________________________________________
_________________________________________________________
- malicious.pdf
Virustotal:
[Name Search]->https://www.virustotal.com/gui/search/malicious.pdf
[MD5]->https://www.virustotal.com/gui/search/827ccb0eea8a706c4c34a16891f84e7b
[SHA1]->https://www.virustotal.com/gui/search/8cb2237d0679ca88db6464eac60da96345513964
[SHA256]->https://www.virustotal.com/gui/search/5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5
_________________________________________________________