• Read the above and launch the attached VM. 

No Answer

• Email dates back to what time frame? 

Just reread the text if you don't get it !

Answer : 1970s

• What port is classified as Secure Transport for SMTP? 

 Answer : 465

• What port is classified as Secure Transport for IMAP?

 Answer : 993

• What port is classified as Secure Transport for POP3?

 Answer : 995

• What email header is the same as "Reply-to"?

Answer : Return-Path

• Once you find the email sender's IP address, where can you retrieve more information about the IP?

Answer : http://www.arin.net

• In the above screenshots, what is the URI of the blocked image? 

Answer : https://i.imgur.com/LSOtDI.png

• In the above screenshots, what is the name of the PDF attachment?

Answer : Payment-updateid.pdf

• In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?

Remove unwanted parts in the email2.txt

then open terminal and run :

ubuntu@ip-10-10-45-176:~/Desktop/Email Samples$ base64 -d test.txt > test.pdf

Answer : THM{BENIGN_PDF_ATTACHMENT}

The next 4 questions is an analyse of the email3.eml :

• What trusted entity is this email masquerading as?

Check point 1 of the sceenshot.

Answer : Home Depot

• What is the sender's email?

Check point 2 of the sceenshot.

Answer : [email protected]

• What is the subject line?
  

Check point 3 of the sceenshot.

Answer : Order Placed : Your Order ID OD2321657089291 Placed Successfully

• What is the URL link for - CLICK HERE? (Enter the defanged URL)

To get the URL, right click on the "click here" hyperlink then choose "save link". Paste the link on CyberChef and you get the defanged URL :

Answer : hxxp[://]t[.]teckbe[.]com/p/?j3=EOowFcEwFHl6EOAyFcoUFVTVEchwFHlUFOo6lVTTDcATE7oUE7AUFo==