Skip to content

Deep email forensic analysis

This was from a forgotten draft!

This weekend (Feb/2016) I got a very interesting email with an attached file.


First impression I thought it was malicious (Malware, Embeded code, VBScript, etc….), but checking it against VirusTotal I got the confirmation that it was okay. However, it seems that it is a new version of scam campaigning such as letters from Nigeria.

scamDespite having “Okay” as feedback from VirusTotal, I made a simple analysis that may help others to understand reverse engineering and forensic analysis. I don’t work in none of both area, however I have been facing a lot of challenges like that.

Email Header
Received: by with SMTP id ti4csp2153032oec;
        Tue, 9 Feb 2016 05:46:03 -0800 (PST)
X-Received: by with SMTP id h144mr3251984oib.136.1455025563587;
        Tue, 09 Feb 2016 05:46:03 -0800 (PST)
Return-Path: <>
Received: from ( [])
        by with ESMTPS id wy7si20890200obc.54.2016.
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 09 Feb 2016 05:46:03 -0800 (PST)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
       spf=pass ( domain of designates as permitted sender);
       dmarc=pass (p=NONE dis=NONE)
Received: from SNT146-W22 ([]) by over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
	 Tue, 9 Feb 2016 05:45:32 -0800
X-TMN: [IoK3XHWdLeP8J0n6VjjEzoTZ8Do54HftEU0qKgLxfow=]
X-Originating-Email: []
Message-ID: <SNT146-W22B6ABD8556614F0D479F79ED60@phx.gbl>
Content-Type: multipart/mixed;
Subject: snt
Date: Tue, 9 Feb 2016 13:45:32 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 09 Feb 2016 13:45:32.0831 (UTC) FILETIME=[257AB2F0:01D16340]

Long time ago I wrote a detailed email header analysis in Portuguese. I will write a new one as soon as I can in English.

Back to the email. Two  things got my attention on that email header:

X-TMN: [IoK3XHWdLeP8J0n6VjjEzoTZ8Do54HftEU0qKgLxfow=]
Message-ID: <SNT146-W22B6ABD8556614F0D479F79ED60@phx.gbl>

According to RFC 2822, this field has the following meaning:

field provides a unique message identifier that refers to a particular version of a particular message. The uniqueness of the message identifier is guaranteed by the host that generates it

It says that is possible to identify the hosts that was responsible for generating that message.  Thus, who the heck is ‘phx.gbl’?

DuckDucking around I found that:

“phx.gbl” derives from Microsoft’s operational incompetence w.r.t. The Internet, in that it is an invalid domain name that Hotmail (and some other functions of appears to be using both in E-mail message-ID headers, and in Domain Name System “PTR” (address to name mapping) records, contrary to relevant Internet protocol standards and best current practices (BCP).

Alright! It comes from Microsoft servers


I tried different methods to get the content for X-TMN field since it is on base64 encryption, But no success, here is probably the reason for that: tracking.

Again, it is just Microsoft being Microsoft ;)

RTF file content is full of XML tags, but I saw some set of ascii (probably images) embedded.

Lets see the first set of ascii/ decimal lines

********** First set of chars ***

Dumping content from X1.rtf starting from 108 up to 205.

$ sed -n '108,205p' X1.rtf  > lines_108_205.txt

Remove the following chars


Python code ( to convert into whatever is the data

import binascii
out = open('lines_108_205.decoded', "wb")
for I in mal:

$ file lines_108_205.decoded 
lines_108_205.decoded: PNG image data, 112 x 61, 8-bit/color RGB, non-interlaced

Some information about that png file

 [kaiorafael@~: maloware $] pnginfo lines_108_205.decoded
 Image Width: 112 Image Length: 61
 Bitdepth (Bits/Sample): 8
 Channels (Samples/Pixel): 3
 Pixel depth (Pixel Depth): 24
 Colour Type (Photometric Interpretation): RGB
 Image filter: Single row per byte filter
 Interlacing: No interlacing
 Compression Scheme: Deflate method 8, 32k window
 Resolution: 3803, 3813 (pixels per meter)
 FillOrder: msb-to-lsb
 Byte Order: Network (Big Endian)
 Number of text strings: 0 of 0

********** Second set of chars ***

sed -n '207,854p' X1.rtf > lines_207_854.txt

Remove additional chars:

}}}{\rtlch\fcs1 \af38\afs20 \ltrch\fcs0 \b\f38\fs18\cf25\insrsid16082227\charrsid15009113


$ python
It generated a wmf (what that heck is that?)

$ file lines_207_854.decoded 
lines_207_854.decoded: ms-windows metafont .wmf

This is again the BWM image, first one is lines_108_205.decoded

********** Third set of chars ***

$ python
$ file lines_911_7301.decoded 
lines_911_7301.decoded: ms-windows metafont .wmf


********** Fourth set of chars ***

$  python
$ file lines_7309_7356.decoded 
lines_7309_7356.decoded: Microsoft OOXML

OOXML is a zip file! Lets dig it!

$ cp lines_7309_7356.decoded

Lets see in a separated folder:

$ mkdir foome
$ cd foome/
$ unzip 
  inflating: [Content_Types].xml     
  inflating: _rels/.rels             
  inflating: theme/theme/themeManager.xml  
  inflating: theme/theme/theme1.xml  
  inflating: theme/theme/_rels/themeManager.xml.rels

********** Fifth set of chars ***

$ python
$ file lines_7357_7360.decoded 
lines_7357_7360.decoded: XML document text

********** Last set of chars ***

$ python
$ file lines_7393_end.decoded 
lines_7393_end.decoded: locale data table
$ strings lines_7393_end.decoded

********** Final words! ***

After I read this post from Fortinet, I would like to have more time/knowledge to go deeper this file :


You can download all files mentioned in this post here!


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.