How do I safely inspect a suspicious email attachment?
It could also be:
3. HTML page with JavaScript code attempting exploit a vulnerability in your browser.
4. HTML page with an embedded Java applet attempting to exploit a vulnerability in the JVM
5. HTML page with an embedded Flash file attempting to exploit a vulnerability in Flash Player
6. The email itself, before you open the attachment could try to exploit a vulnerability in your email client
There might be other possibilities.
For this purpose, I have the following setup:
Virtual Machine using VirtualBox. No network access.
I have a snapshot saved for the VM after a fresh OS install.
I also take two snapshots with What Changed? and TrackWinstall.
I copy files only in the direction Host -> VM, using a free ISO creator.
I create the
.iso
file and mount it. Then I can have all the fun I want on the VM itself.I usually run the malware and study memory usage, CPU load, listening ports, networking attempts.
I check the changes to the OS using What Changed? and TrackWinstall.
Finally I restore to the fresh snapshot.
The reason I have the whole setup is because I like to run the malware and see what it's trying to do.
Update:
I was talking to a colleague who performs malware analysis as a hobby and he told me about his setup, it might be different that what you might want for an occasional .html
attachment check.
Old PC with a fresh OS install.
After installing the needed tools he takes a full-disk image using Clonezilla Live.
What Changed for snapshots comparisons.
The PC is connected to the Internet through a separate network.
Whenever he finishes working on a sample, he reboots with Clonezilla and restores the full-disk image.
In Gmail, click on the button with the little triangle on the bar above the message, on the right. In the menu that pops up, select "Show Original". Now gmail shows you the raw message with all the headers, in another browser window. The attachment is in the message body, MIME-encoded into harmless text. You can cut and paste the MIME material and decode it with some MIME utilities (e.g. munpack on Linux or Cygwin).
The simplest approach would be to use direct HTTP access to save the file and open it in Notepad to examine the contents. The file can't magically run itself if you treat it directly as data and you should be able to examine the contents. The key is to make sure you do not access it with anything which could automatically run something for you.
To be a little more thorough, you could use a VM to actually let it go and see what it does, but for simple checking, treating it as a data file and accessing it with data analysis tools should be safe.
There is a very slim chance of issues if they happen to be targeting a VM vulnerability, but the chances of your particular questionable file rapidly identifying and targeting a suitable VM vulnerability to break sandbox are pretty close to nil unless you are being specifically targeted and even then it's probably a low likelihood.
If you've already opened the e-mail and just not the attachment, then you could simply save the attachment. If you are nervous about actually opening the e-mail, something like Lynx could probably be used.