Automating complex threat analysis with Splunk Attack Analyzer

Email Analyzer

The Email Analyzer examines suspicious emails to gather context and assess threat potential. It does this by:

• Analyzing email headers and sender information to detect suspicious origins or spoofing attempts
• Inspecting attachment metadata, including file types and properties
• Extracting activation codes and passwords required to progress through the attack chain
• Assigning a threat score reflecting the likelihood of malicious content

The Analyzer looks at message metadata just as a human analyst would, extracting relevant text for you to explore. It also identifies suspicious senders and attachments, flagging them for further analysis.

You can scroll further down to see the email itself. In the example below, this email contains an activation code and a PDF. Traditional analysis tools would typically not recognize any obvious malicious signatures, but the threat score that Splunk Attack Analyzer has assigned to this reflects potential risk to help prioritize investigation.

Static Doc Analysis

You can use Static Doc Analysis to dig deeper into documents associated with the job, even those that might be obfuscated or password-protected. Splunk Attack Analyzer analyzes documents by:

• Decrypting password-protected PDFs using access codes found in the email or extracted via OCR
• Extracting embedded QR codes and other hidden elements within documents
• Using Optical Character Recognition (OCR) to read text and images inside the document, capturing information that traditional scanners might miss
• Leveraging the malware threat reversing agent to break down suspicious scripts in seconds

You can explore all of the signatures and metadata associated with the document, or scroll down to see a preview of the fully decrypted document. In the example below, the PDF attachment was password protected; however, Splunk Attack Analyzer used the password found in the email to decrypt it. OCR then extracted a QR code embedded in the PDF, which is critical because QR codes can redirect users to malicious sites. The decrypted document itself appears benign superficially, but the embedded QR code is a key threat vector.

When a static doc has been analyzed, the malware threat reversing agent leverages AI analysis to break down malicious scripts contained within the document. In the screenshot below, the Summary tab shows an example of a technical breakdown of scripts and payloads, with snippets of relevant code to review.

The MITRE ATT&CK TTPs tab links you straight to relevant TTPs, and the IOCs and Recommendations tab provides full details on indicators of compromise (IOCs) such as hashes, domains, IP addresses, and suspicious processes, as well as suggested next steps for you to follow.

Web Analyzer

The Web Analyzer inspects web pages linked from suspicious emails or QR codes for malicious content, providing a comprehensive view of the web-based attack components that traditional tools might miss. It does this by:

• Scanning QR codes extracted from documents to reveal embedded URLs
• Analyzing these URLs for obfuscation techniques such as blurred images or base64 encoding
• Unblurring images that attackers use to hide malicious content
• Checking URLs against threat intelligence sources, primarily Cisco Talos, but also others like Google URL
• Inspecting web forms for credential harvesting or other malicious behaviors
• Detecting phishing kits, malicious login pages, and other indicators of compromise

For any web resource analyzed, you can explore all of the detected signatures in detail before scrolling down to Screenshots to see the web content in context. In the example below, the QR code leads to URLs that were initially blurred to evade detection. Splunk Attack Analyzer unblurred the login pages and identified that they lead to fake Microsoft login pages that are part of known phishing kits, indicating attempted credential theft.

Static File Analysis

Static File Analysis is used to safely download and analyze the final executable payloads, such as malware binaries, after overcoming obfuscation layers. It does this by:

• Unzipping compressed payloads to access executable files
• Detecting malware families, behaviors, and indicators such as process injection, persistence mechanisms, and data harvesting

In the example below, the executable has been identified as probably malicious.

Sandboxing

Splunk Attack Analyzer contains a number of sandbox environments, enhanced with YARA rules and ClamAV antivirus scanning, to detect malicious signatures in payloads.

In the example below, after decrypting and unpacking, the payload was identified as Agent Tesla XOR malware. The sandbox detected behaviors like creating hidden processes, injecting code, and attempting to remove evidence. The accompanying analysis provides detailed metadata about the executable and its actions. This stage confirms the malicious nature of the payload and provides actionable intelligence for response.