> For the complete documentation index, see [llms.txt](https://jacob-taylor.gitbook.io/security-analyst/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jacob-taylor.gitbook.io/security-analyst/path-7/phishing/the-greenholt-phish.md).

# The Greenholt Phish

*"A Sales Executive at Greenholt PLC received an email that he didn't expect to receive from a customer. He claims that the customer never uses generic greetings such as "Good day" and didn't expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation. **Investigate the email sample to determine if it is legitimate**."*

***What is the email's timestamp? (answer format: mm/dd/yyyy hh:mm)***

<figure><img src="/files/TiZ1J3CJJkNH9Jq5fIQY" alt=""><figcaption><p>06/10/2020 05:58</p></figcaption></figure>

***Who is the email from?***

Mr. James Jackson

***What is his email address?***

<info@mutawamarine.com>

***What email address will receive a reply to this email?***

<figure><img src="/files/21xsaetwNBRdPWNMgPlz" alt=""><figcaption><p>info.mutawamarine@mail.com</p></figcaption></figure>

***What is the Originating IP?***

<figure><img src="/files/gjTKhiH73FUM4tyE2Ica" alt=""><figcaption><p>192.119.71.157</p></figcaption></figure>

***Who is the owner of the Originating IP? (Do not include the "." in your answer.)***

<figure><img src="/files/K0de3RFHALso9FdngIRj" alt=""><figcaption><p>HostWinds LLC</p></figcaption></figure>

***What is the SPF record for the Return-Path domain?***

<figure><img src="/files/Qurdm7LebiaDW5sg2LMv" alt=""><figcaption><p>v=spf1 include:spf.protection.outlook.com -all</p></figcaption></figure>

***What is the DMARC record for the Return-Path domain?***

<figure><img src="/files/QmMHVljGuZqazp8yaaa6" alt=""><figcaption><p>v=DMARC1; p=quarantine; fo=1</p></figcaption></figure>

***What is the name of the attachment?***

<figure><img src="/files/1yF56EwRr0btP0nbGlqr" alt=""><figcaption><p>SWT_#09674321____PDF__.CAB</p></figcaption></figure>

***What is the SHA256 hash of the file attachment?***

<figure><img src="/files/HPfWJvgI9pJpQqkA1dap" alt=""><figcaption><p>2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f</p></figcaption></figure>

***What is the attachments file size? (Don't forget to add "KB" to your answer, NUM KB)***

<figure><img src="/files/t9nyrebrhmw6x053f2lD" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/G6MHCn2MEP8Dq0FGmuQ1" alt=""><figcaption><p>400.26 KB</p></figcaption></figure>

***What is the actual file extension of the attachment?***

rar
