Automated Analysis of Email Attachments Using Cuckoo Sandbox

Abstract

The landscape and potential of cyber threats to impact information systems are growing rapidly. With the increase in the use of electronic mails (emails) as a source of information sharing, intrusions through malware attachments and other malicious activities have exponentially increased the risks associated with information systems. Malicious email attachments are an increasingly dangerous threat to an organisation’s internal and corporate security infrastructure. Automated malware sandboxing infrastructures with correctly implemented security policies capable of mitigating threats from email channels are needed to rank, evaluate, and score file attachments to create practical cybersecurity solutions that detect and prevent breaches. This research primarily discusses the design and implementation of a malware sandbox that automatically analyses email attachments, performs static analysis to understand their non- runtime behaviour, dynamic analysis to analyse runtime behaviour, and presents a risk scoring to categorise the attachment as potentially malicious or clean. We assume the file samples have been extracted from the emails and located on a local server directory accessible by the sandbox. An automated job interacts with this directory and automatically submits the attachments to the sandbox, updates the SQL database, and outputs the result to a web interface. Furthermore, the research showcases the post-implementation capabilities of the sandbox through an analysis of 30 file samples and then automatically running these files to validate the effectiveness and accuracy of the sandbox.