Analysts can use the PhishHunter detonate feature to execute attachments and understand what threats may be present and what changes the file would make if opened on a user’s machine.
When detonated, attachments are executed in a cloud-based sandbox environment and a detailed report will be returned if the file is malicious.
Detonating Attachments
Any email with an attachment will show a “bomb” button on the far right. To detonate the attachment, simply click the bomb button. The detonation process may take time, so please allow at least 60 minutes for results to appear.
Supported File Types
Any binary content can be detonated including Windows executables, Android APKs, PDFs, images, javascript code, etc.
Viewing Detonation Reports
Once the detonation process is complete, the bomb button will be replaced by a download button. Click this button to download the report. If the file is not a known threat, the message’s malicious score will not be altered and a message will be displayed indicating that there are no reports available. Unknown threats can still be malicious, and further human review may be necessary.
If a known threat is detected, the message’s malicious score will be set to 100% and clicking the download button will download a .json file with more details. Included in the .json file will be a verdict on the type of malware present in the file along with a list of files and processes that the malware would have attempted to access on a user’s machine.
Sample Detonation Report
[
{
"filename": "xxxx",
"report_data": [
{
"verdicts": [
"MALWARE",
"TROJAN"
],
"analysis_date": 1548112224,
"has_pcap": false,
"has_evtx": false,
"behash": "84212be3d9ec09c8629567f1519e449b",
"modules_loaded": [
"c:\\windows\\system32\\user32.dll",
"c:\\windows\\system32\\imm32.dll",
"c:\\windows\\system32\\ntdll.dll",
"c:\\windows\\system32\\ntvdmd.dll",
"c:\\windows\\system32\\secur32.dll",
"c:\\windows\\system32\\winmm.dll",
"c:\\windows\\system32\\advapi32.dll",
"c:\\windows\\system32\\msvcrt.dll",
"c:\\windows\\system32\\gdi32.dll",
"c:\\windows\\system32\\userenv.dll",
"c:\\windows\\system32\\kernel32.dll",
"c:\\windows\\system32\\rpcrt4.dll",
"/usr/lib/libauto.dylib",
"/usr/lib/system/libdyld.dylib",
"/usr/lib/system/libxpc.dylib",
"/usr/lib/system/libsystem_notify.dylib",
"/usr/lib/system/libsystem_stats.dylib",
"/usr/lib/system/libcommonCrypto.dylib",
"/usr/lib/libc++abi.dylib",
"/usr/lib/system/libsystem_platform.dylib",
"/usr/lib/system/libsystem_blocks.dylib",
"/usr/lib/system/libsystem_configuration.dylib",
"/usr/lib/system/libsystem_coretls.dylib",
"/usr/lib/system/libmacho.dylib",
"/usr/lib/system/libsystem_networkextension.dylib",
"/usr/lib/system/libsystem_secinit.dylib",
"/usr/lib/system/libkeymgr.dylib",
"/usr/lib/system/libunwind.dylib",
"/usr/lib/libc++.1.dylib",
"/usr/lib/system/libquarantine.dylib",
"/usr/lib/system/libsystem_network.dylib",
"/usr/lib/libDiagnosticMessagesClient.dylib",
"/usr/lib/libncurses.5.4.dylib",
"/usr/lib/system/libsystem_info.dylib",
"/usr/lib/system/libsystem_m.dylib",
"/usr/lib/system/libsystem_coreservices.dylib",
"/usr/lib/libSystem.B.dylib",
"/usr/lib/system/libdispatch.dylib",
"/usr/lib/system/libsystem_sandbox.dylib",
"/usr/lib/system/libsystem_asl.dylib",
"/usr/lib/system/libremovefile.dylib",
"/usr/lib/system/libcache.dylib",
"/usr/lib/system/libsystem_pthread.dylib",
"/usr/lib/libobjc.A.dylib",
"/usr/lib/system/libcompiler_rt.dylib",
"/usr/lib/system/libcorecrypto.dylib",
"/usr/lib/system/liblaunch.dylib",
"/usr/lib/system/libsystem_c.dylib",
"/usr/lib/system/libsystem_dnssd.dylib",
"/usr/lib/system/libunc.dylib",
"/usr/lib/system/libsystem_trace.dylib",
"/usr/lib/system/libsystem_kernel.dylib",
"/usr/lib/system/libcopyfile.dylib",
"/usr/lib/system/libsystem_malloc.dylib"
],
"command_executions": [
"C:\\WINDOWS\\system32\\ntvdm.exe -f -i1",
"/bin/bash /private/tmp/eicar.com.sh"
],
"last_modification_date": 1612866665,
"processes_created": [
"C:\\WINDOWS\\system32\\ntvdm.exe",
"/bin/bash"
],
"sandbox_name": "Lastline",
"processes_tree": [
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "144"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "272"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "348"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "352"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "268"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "904"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1156"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "892"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "652"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1520"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "460"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1316"
},
{
"name": "/bin/bash",
"process_id": "797"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "656"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1972"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "304"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1076"
}
],
"has_memdump": false
}
]
},
{
"filename": "eicar.com",
"report_data": [
{
"verdicts": [
"MALWARE",
"TROJAN"
],
"analysis_date": 1548112224,
"has_pcap": false,
"has_evtx": false,
"behash": "84212be3d9ec09c8629567f1519e449b",
"modules_loaded": [
"c:\\windows\\system32\\user32.dll",
"c:\\windows\\system32\\imm32.dll",
"c:\\windows\\system32\\ntdll.dll",
"c:\\windows\\system32\\ntvdmd.dll",
"c:\\windows\\system32\\secur32.dll",
"c:\\windows\\system32\\winmm.dll",
"c:\\windows\\system32\\advapi32.dll",
"c:\\windows\\system32\\msvcrt.dll",
"c:\\windows\\system32\\gdi32.dll",
"c:\\windows\\system32\\userenv.dll",
"c:\\windows\\system32\\kernel32.dll",
"c:\\windows\\system32\\rpcrt4.dll",
"/usr/lib/libauto.dylib",
"/usr/lib/system/libdyld.dylib",
"/usr/lib/system/libxpc.dylib",
"/usr/lib/system/libsystem_notify.dylib",
"/usr/lib/system/libsystem_stats.dylib",
"/usr/lib/system/libcommonCrypto.dylib",
"/usr/lib/libc++abi.dylib",
"/usr/lib/system/libsystem_platform.dylib",
"/usr/lib/system/libsystem_blocks.dylib",
"/usr/lib/system/libsystem_configuration.dylib",
"/usr/lib/system/libsystem_coretls.dylib",
"/usr/lib/system/libmacho.dylib",
"/usr/lib/system/libsystem_networkextension.dylib",
"/usr/lib/system/libsystem_secinit.dylib",
"/usr/lib/system/libkeymgr.dylib",
"/usr/lib/system/libunwind.dylib",
"/usr/lib/libc++.1.dylib",
"/usr/lib/system/libquarantine.dylib",
"/usr/lib/system/libsystem_network.dylib",
"/usr/lib/libDiagnosticMessagesClient.dylib",
"/usr/lib/libncurses.5.4.dylib",
"/usr/lib/system/libsystem_info.dylib",
"/usr/lib/system/libsystem_m.dylib",
"/usr/lib/system/libsystem_coreservices.dylib",
"/usr/lib/libSystem.B.dylib",
"/usr/lib/system/libdispatch.dylib",
"/usr/lib/system/libsystem_sandbox.dylib",
"/usr/lib/system/libsystem_asl.dylib",
"/usr/lib/system/libremovefile.dylib",
"/usr/lib/system/libcache.dylib",
"/usr/lib/system/libsystem_pthread.dylib",
"/usr/lib/libobjc.A.dylib",
"/usr/lib/system/libcompiler_rt.dylib",
"/usr/lib/system/libcorecrypto.dylib",
"/usr/lib/system/liblaunch.dylib",
"/usr/lib/system/libsystem_c.dylib",
"/usr/lib/system/libsystem_dnssd.dylib",
"/usr/lib/system/libunc.dylib",
"/usr/lib/system/libsystem_trace.dylib",
"/usr/lib/system/libsystem_kernel.dylib",
"/usr/lib/system/libcopyfile.dylib",
"/usr/lib/system/libsystem_malloc.dylib"
],
"command_executions": [
"C:\\WINDOWS\\system32\\ntvdm.exe -f -i1",
"/bin/bash /private/tmp/eicar.com.sh"
],
"last_modification_date": 1612866665,
"processes_created": [
"C:\\WINDOWS\\system32\\ntvdm.exe",
"/bin/bash"
],
"sandbox_name": "Lastline",
"processes_tree": [
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "144"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "272"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "348"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "352"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "268"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "904"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1156"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "892"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "652"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1520"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "460"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1316"
},
{
"name": "/bin/bash",
"process_id": "797"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "656"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1972"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "304"
},
{
"name": "C:\\WINDOWS\\system32\\ntvdm.exe",
"process_id": "1076"
}
],
"has_memdump": false
}
]
}
]