What You'll Learn
- Extract Indicators of Compromise (IOCs) from phishing email descriptions including URLs, domains, IP addresses, and file hashes
- Analyze suspicious URLs using URLScan.io to identify phishing infrastructure, redirects, and hosted content
- Query file hashes and domains on VirusTotal to determine malicious verdicts and threat intelligence context
- Investigate IP addresses on AbuseIPDB to check abuse history, geolocation, and ISP information
- Build a structured IOC table suitable for blocklist creation and threat intelligence sharing
Lab Overview
| Detail | Value |
|---|---|
| Lab Type | Browser-Only |
| Tools Required | VirusTotal, URLScan.io, AbuseIPDB, Browser |
| Estimated Time | 55–65 minutes |
| Difficulty | Intermediate |
| Pre-Requisites | Labs PH.1–PH.3 |
| Deliverable | IOC extraction table with analysis results from 3 threat intelligence platforms |
From Classification to Investigation. In Lab PH.3, you classified phishing emails. Now you're moving to the next phase: extracting every artifact from a phishing campaign and running it through threat intelligence platforms. This is how SOC analysts turn a single reported email into actionable intelligence — blocklists, detection rules, and threat actor profiles.
The Scenario
A user in your finance department reported a phishing email that slipped past your email gateway. The email claimed to be an overdue invoice from a vendor and contained a link to download a "PDF invoice." Initial triage classified it as phishing. Now you need to extract every IOC, investigate each one, and produce an intelligence report that your security team can use to block the threat across all systems.
The reported phishing email details are provided below. Your job is to extract every artifact, analyze it, and determine the scope of the threat.
The Phishing Email
From: invoicing@globaltrade-payments.com
To: m.johnson@company.com
Subject: OVERDUE: Invoice #GT-2026-8847 — Immediate Payment Required
Date: Mon, 17 Feb 2026 06:33:18 +0000
Return-Path: bounce-handler@vps-mailer-node7.xyz
X-Originating-IP: 193.42.33.107
Body:
Dear Michael,
Your invoice #GT-2026-8847 from Global Trade Partners is now 15 days
overdue. To avoid service disruption, please review and process payment
immediately.
Download Invoice PDF:
hxxps://secure-docs-portal[.]com/invoice/GT-2026-8847.pdf
If you've already submitted payment, please disregard this notice.
Best regards,
Amanda Chen
Accounts Receivable
Global Trade Partners
Phone: +1 (212) 555-0147
Additional intelligence from the email gateway logs:
Attachment: (none — link-based delivery)
Link destination (after redirect): hxxps://cdn-storage-8847[.]com/dl/invoice_GT2026.exe
File downloaded: invoice_GT2026.exe
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
MD5: d41d8cd98f00b204e9800998ecf8427e
File size: 847 KB
Connection after execution: 193.42.33.107:443 (HTTPS callback)
Secondary DNS query: c2-beacon[.]malware-infra[.]net
Part 1: IOC Extraction
Extract every artifact from the email and gateway logs. Organize them by type:
IOC EXTRACTION TABLE
═══════════════════════
Source: Phishing email reported 2026-02-17
TYPE IOC SOURCE
────────── ────────────────────────────────────────── ──────────────
Email invoicing@globaltrade-payments.com From header
Email bounce-handler@vps-mailer-node7.xyz Return-Path
Domain globaltrade-payments.com From domain
Domain vps-mailer-node7.xyz Return-Path domain
Domain secure-docs-portal.com Phishing link
Domain cdn-storage-8847.com Redirect destination
Domain c2-beacon.malware-infra.net DNS callback
IP Address 193.42.33.107 X-Originating-IP + C2
URL hxxps://secure-docs-portal.com/invoice/GT-2026-8847.pdf Phishing link
URL hxxps://cdn-storage-8847.com/dl/invoice_GT2026.exe Payload URL
File Hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SHA256
File Hash d41d8cd98f00b204e9800998ecf8427e MD5
File Name invoice_GT2026.exe Downloaded payload
Defang Your IOCs. When documenting IOCs in reports and tickets, always defang them: replace https:// with hxxps:// and add brackets around dots in domains: malware-infra[.]net. This prevents accidental clicks and ensures security tools don't auto-resolve malicious domains from your documentation.
Part 2: URL Analysis with URLScan.io
Navigate to URLScan.io and search for the phishing domains.
Exercise 2A: Search for the Phishing Domain
In URLScan.io's search bar, enter: secure-docs-portal.com
Document the following (if results exist from prior scans):
- When was the domain first seen?
- What country does it resolve to?
- What web technologies does the hosting page use?
- Is there a screenshot of the phishing page?
- Does the page contain a login form or file download prompt?
Exercise 2B: Investigate the Payload Domain
Search for: cdn-storage-8847.com
Document:
- Does this domain host other suspicious content?
- Is the domain registered recently? (Check WHOIS via URLScan or MXToolbox)
- What is the SSL certificate issuer? (Let's Encrypt on suspicious domains is common for phishing)
Exercise 2C: Check the C2 Domain
Search for: c2-beacon.malware-infra.net
Document:
- Is this domain flagged as malicious?
- What IP does it resolve to?
- Are there any related domains in the same infrastructure?
URLSCAN.IO ANALYSIS RESULTS
════════════════════════════
Domain: secure-docs-portal.com
First Seen: [date]
IP Resolution: [IP address]
Country: [country]
Technologies: [list]
Page Content: [description of what's hosted]
Verdict: [Malicious / Suspicious / Clean]
Domain: cdn-storage-8847.com
First Seen: [date]
IP Resolution: [IP address]
Hosting: [provider]
SSL Issuer: [CA name]
Verdict: [Malicious / Suspicious / Clean]
Domain: c2-beacon.malware-infra.net
First Seen: [date]
Related Domains: [list]
Verdict: [Malicious / Suspicious / Clean]
Part 3: Hash & Domain Analysis with VirusTotal
Navigate to VirusTotal and analyze the file hash and domains.
Exercise 3A: Check the File Hash
Go to the Search tab and enter the SHA256 hash:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Document:
- How many AV engines detect this file as malicious?
- What is the detection name (if any)?
- What file type is identified?
- Are there any behavioral analysis results (sandboxing)?
- What network connections does the file make?
Exercise 3B: Check the Sending Domain
Enter: globaltrade-payments.com
Document:
- Detection ratio (X/Y engines)
- Domain registration date
- Associated IP addresses
- Any community comments or votes
Exercise 3C: Check the C2 IP Address
Enter: 193.42.33.107
Document:
- Detection ratio
- Geolocation and ASN
- Associated domains (passive DNS)
- Any related malware samples that communicate with this IP
VIRUSTOTAL ANALYSIS RESULTS
════════════════════════════
SHA256: e3b0c44298fc1c14...
Detection: [X]/[Y] engines
File Type: [type]
First Seen: [date]
Names: [detection names from top 3 AV engines]
Behavior: [key findings from sandbox]
Domain: globaltrade-payments.com
Detection: [X]/[Y] engines
Registrar: [registrar name]
Created: [date]
DNS: [IP addresses]
IP: 193.42.33.107
Detection: [X]/[Y] engines
ASN: [AS number and name]
Country: [country]
Passive DNS: [associated domains]
Part 4: IP Reputation with AbuseIPDB
Navigate to AbuseIPDB and check the IP address.
Exercise 4A: Check 193.42.33.107
Enter the IP and document:
- Abuse confidence score (0-100%)
- Number of reports
- Most recent report date
- Categories of abuse (spam, phishing, brute force, etc.)
- ISP and country
- Is the IP on any public blocklists?
ABUSEIPDB ANALYSIS
══════════════════
IP: 193.42.33.107
Confidence Score: [X]%
Total Reports: [count]
Last Reported: [date]
Categories: [list]
ISP: [name]
Country: [country]
Blocklist Status: [Listed / Not Listed]
Cross-Reference Your Sources. No single threat intelligence platform is 100% accurate. VirusTotal may show zero detections for a brand-new malware sample. URLScan might not have scanned a domain yet. AbuseIPDB relies on community reports. Always check at least 2-3 sources before making a confidence determination. Conflicting results should lower your confidence, not be ignored.
Part 5: Build the Intelligence Report
Compile all findings into a structured threat intelligence report:
PHISHING INCIDENT — IOC ANALYSIS REPORT
════════════════════════════════════════
Incident ID: PHISH-2026-0217-001
Report Date: [Today's Date]
Analyst: [Your Name]
Classification: Phishing with malware payload delivery
EXECUTIVE SUMMARY
──────────────────
A phishing email targeting finance personnel delivered a malicious
executable disguised as a PDF invoice. The attack chain: spoofed
vendor email → phishing link → redirect → executable download →
C2 callback. [X] IOCs extracted across [Y] infrastructure nodes.
IOC TABLE (For Blocklist Import)
─────────────────────────────────
Type IOC Action Platform Result
Domain globaltrade-payments.com Block (DNS) VT: [X/Y]
Domain secure-docs-portal.com Block (DNS) URLScan: [verdict]
Domain cdn-storage-8847.com Block (DNS) URLScan: [verdict]
Domain c2-beacon.malware-infra.net Block (DNS) VT: [X/Y]
IP 193.42.33.107 Block (FW) AbuseIPDB: [X]%
Hash e3b0c44298fc1c14... Block (EDR) VT: [X/Y]
URL hxxps://secure-docs-portal... Block (Proxy) URLScan: [verdict]
Email invoicing@globaltrade-payments.. Block (Email) —
ATTACK CHAIN
─────────────
1. Phishing email → 2. Link click → 3. Redirect to payload host →
4. .exe download → 5. Execution → 6. C2 callback to 193.42.33.107
RECOMMENDATIONS
────────────────
1. [Your recommendation for immediate blocking]
2. [Your recommendation for mailbox sweep]
3. [Your recommendation for endpoint scan]
4. [Your recommendation for monitoring]
Deliverable Checklist
Before completing the lab, ensure you have:
- IOC Extraction Table — All 13 IOCs extracted and categorized by type
- URLScan.io Results — 3 domains analyzed with screenshots, verdicts, and hosting details
- VirusTotal Results — File hash, domain, and IP analyzed with detection ratios
- AbuseIPDB Results — IP reputation checked with confidence score and abuse categories
- Intelligence Report — Complete report with blocklist-ready IOC table and attack chain
Key Takeaways
- IOC extraction is systematic — work through every field of the email, gateway logs, and network telemetry
- Always defang IOCs in documentation (hxxps://, domain[.]com) to prevent accidental resolution
- Cross-reference at least 2-3 threat intelligence sources — no single platform has complete coverage
- Newly registered domains with Let's Encrypt certificates hosting login pages are a strong phishing signal
- The final IOC report should be blocklist-ready — every indicator with a specific blocking action and platform
What's Next
In Lab PH.5 — Phishing Response, you'll use Wazuh to investigate a live phishing incident. Instead of analyzing email artifacts in isolation, you'll search SIEM alerts for the downstream effects: process execution from email attachments, network callbacks to C2 infrastructure, and lateral movement from compromised accounts.
Lab Challenge: Artifact Extraction & IOC Analysis
10 questions · 70% to pass
How many distinct IOC types can be extracted from the phishing email and gateway logs provided in this lab?
Why is the Return-Path domain (vps-mailer-node7.xyz) different from the From domain (globaltrade-payments.com), and what does this indicate?
The phishing link points to secure-docs-portal.com but redirects to cdn-storage-8847.com. Why do attackers use this redirect technique?
The downloaded file is named 'invoice_GT2026.exe' but was linked as a '.pdf'. What technique is being used?
When checking a file hash on VirusTotal, you see 0/72 detections. Does this mean the file is safe?
On AbuseIPDB, an IP has an abuse confidence score of 92% with 347 reports. What does this tell you about the infrastructure?
What does 'defanging' an IOC mean, and why is it important in reports?
The attack chain in this lab is: email → link → redirect → exe download → C2 callback. At which point would a web proxy block be MOST effective?
You find that the domain 'globaltrade-payments.com' was registered 3 days before the phishing email was sent. What does this suggest?
After completing your IOC analysis, what should be the FIRST action your SOC team takes?
0/10 answered