trac3r00/phishing-analyzer

GitHub: trac3r00/phishing-analyzer

PhishGuard 是一款集成多信号评分、YARA 扫描与威胁情报查询的钓鱼邮件自动化分析工具,帮助安全团队快速研判并导出标准化威胁情报。

Stars: 0 | Forks: 0

# 🛡️ PhishGuard ![Python](https://img.shields.io/badge/python-3.11+-blue.svg) [![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](https://opensource.org/licenses/MIT) [![STIX](https://img.shields.io/badge/STIX-2.1-orange.svg)](https://oasis-open.github.io/cti-documentation/stix/intro) [![YARA](https://img.shields.io/badge/YARA-rules-red.svg)](https://virustotal.github.io/yara/) ## 功能简介 PhishGuard 接收一个 `.eml` 文件,并运行真实 SOC 环境中使用的**完整分析 pipeline**: | 模块 | 功能 | |--------|----------| | **Email Parser** | RFC 5322 header 提取,multipart body 解析,附件提取及 hash 计算 (MD5/SHA1/SHA256),received-hop 链重建 | | **Auth Validator** | 实时 DNS 查询 SPF, DMARC, DKIM 记录。解析 Authentication-Results header。标记缺失/薄弱的策略 | | **URL Intelligence** | 从文本和 HTML 中提取 URL,追踪重定向链 (HTTP 3xx),进行 defang 处理以便安全共享,homoglyph 检测,标记可疑的 TLD/短链接/IP-URL | | **IOC Extractor** | 提取 IPv4, IPv6, domain, email 地址, URL, file hash (MD5/SHA1/SHA256)。去重及 defang 处理 | | **YARA Scanner** | 使用 7 条内置规则扫描附件:VBA macros、混淆 macros、HTML 凭据表单、伪装的 executable、JS dropper、可疑 PDF、RTF exploit | | **Threat Intel** | VirusTotal API v3 (URL/hash/domain 检查),AbuseIPDB v2 (IP 信誉) | | **Risk Scorer** | 跨 6 个类别的多信号综合评分:Auth、URL、Social Engineering、Attachment、Header Anomaly、IOC Density。输出:Clean / Low / Medium / High / Critical | | **STIX 2.1 导出** | 包含 Indicators、ThreatActor、Relationships、Report 对象的完整 STIX bundle。可直接导入 MISP/OpenCTI | ## 快速开始 ``` git clone https://github.com/trac3r00/phishing-analyzer.git cd phishing-analyzer python3 -m venv .venv && source .venv/bin/activate pip install -e "." # 完整分析 phishguard analyze samples/phish_paypal.eml # 带 STIX 导出 phishguard analyze samples/phish_paypal.eml --stix report.stix.json # 仅提取 IOC(已进行 defang 处理以便安全共享) phishguard ioc samples/phish_paypal.eml --defanged # 检查域身份验证 phishguard auth-check paypa1-support.xyz ``` ### 可选:YARA 扫描 ``` pip install yara-python # 附件现在将自动扫描 ``` ### 可选:Threat Intel enrichment ``` export VT_API_KEY="your-virustotal-api-key" export ABUSEIPDB_API_KEY="your-abuseipdb-key" ``` ## CLI 命令 ``` phishguard analyze Full analysis pipeline --json Output structured JSON --stix Export STIX 2.1 bundle --no-dns Skip DNS lookups (offline mode) --no-redirects Skip URL redirect tracing phishguard ioc Extract IOCs --defanged Output defanged values phishguard auth-check Check SPF/DKIM/DMARC ``` ## 示例输出 ``` ════════════════════════════════════════════════════════════ PhishGuard — Phishing Email Analysis Report ════════════════════════════════════════════════════════════ ▶ Parsing email... Subject: URGENT: Your account has been suspended - Action Required From: PayPal Security Team To: victim@company.com Attachments: 1 ⚠ Header Anomalies: • Reply-To mismatch: From≠Reply-To (phisher-reply@gmail.com) • Return-Path mismatch: From≠Return-Path ▶ Extracting IOCs... IPs: 2 | Domains: 6 | URLs: 4 | Emails: 5 | Total: 17 ▶ Analyzing URLs... [SUSPICIOUS] hxxp://192[.]168[.]44[.]2/paypal-verify — IP-based URL [SUSPICIOUS] hxxp://paypa1-support[.]xyz/verify — Suspicious TLD (.xyz) [SUSPICIOUS] hxxps://bit[.]ly/3xR9fakePayPal — URL shortener ════════════════════════════════════════════════════════════ VERDICT: Critical (Score: 53) Top signals: Social Engineering (31 pts), URL Analysis (9 pts) Recommendation: BLOCK immediately. Quarantine email. Extract IOCs. ════════════════════════════════════════════════════════════ ``` ## 架构 ``` flowchart TD EML([".eml file"]) EML --> PARSER["Email Parser
headers · body · attachments"] PARSER --> AUTH["Auth Validator
SPF / DKIM / DMARC
(live DNS)"] PARSER --> IOC["IOC Extractor
IPs · domains
hashes · emails"] PARSER --> URL["URL Intelligence
redirect chain
TLD / shortener · homoglyphs"] PARSER --> YARA["YARA Scanner
7 built-in rules"] URL --> TI["Threat Intel
VirusTotal · AbuseIPDB"] AUTH --> SCORER["Risk Scorer
6 categories · 5 levels"] IOC --> SCORER URL --> SCORER YARA --> SCORER TI --> SCORER SCORER --> CLI["CLI Report
colored terminal"] SCORER --> STIX["STIX 2.1 Bundle
(JSON)"] ``` ## 内置 YARA 规则 | 规则 | 检测内容 | 严重程度 | |------|---------|----------| | `Phish_Office_Macro_VBA` | 带有 shell/PowerShell 执行的 VBA macros | High | | `Phish_Office_Macro_Obfuscated` | 混淆的 VBA (Chr() 拼接, Base64) | Critical | | `Phish_HTML_Credential_Form` | 带有密码输入和 form action 的 HTML 文件 | High | | `Phish_Executable_Disguised` | 伪装成文档的 PE executable | Critical | | `Phish_JavaScript_Dropper` | 带有 WScript/ActiveX 下载并执行的 JavaScript | High | | `Phish_PDF_Suspicious_Action` | 嵌入 JavaScript/Launch action 的 PDF | Medium | | `Phish_RTF_Exploit` | 带有 OLE 对象的 RTF (CVE-2017-11882 特征) | Critical | ## 社会工程学检测 涵盖 6 个类别的 40 多种模式: - ⏰ **紧迫感** — "立即行动"、"过期"、"最后警告",施加截止日期压力 - 🎣 **凭据收集** — "验证您的账户"、"确认密码",索要 PII - 🎭 **冒充** — 通用称呼、"安全团队"、品牌名称 - ⚡ **威胁** — "未经授权的访问"、"采取法律行动"、账户关闭 - 🎁 **诱饵** — "您已中奖"、"免费奖品"、"遗产" - 🔗 **链接/附件施压** — "点击此处"、"启用 macros"、"下载并运行" ## 项目结构 ``` phishing-analyzer/ ├── phishguard/ │ ├── __init__.py │ ├── cli.py # CLI interface │ ├── core/ │ │ ├── __init__.py # Email parser (.eml) │ │ ├── auth.py # SPF/DKIM/DMARC validation │ │ ├── url_intel.py # URL analysis + redirect tracing │ │ ├── ioc.py # IOC extraction │ │ └── scorer.py # Multi-signal risk scoring │ ├── intel/ │ │ └── __init__.py # VirusTotal + AbuseIPDB clients │ ├── reports/ │ │ └── __init__.py # STIX 2.1 bundle export │ └── yara_rules/ │ ├── __init__.py # YARA scanner engine │ └── phishing.yar # 7 built-in detection rules ├── samples/ # Sample .eml files ├── tests/ # 24 test cases ├── pyproject.toml └── README.md ``` ## 运行测试 ``` source .venv/bin/activate pytest tests/ -v ``` ## 集成 PhishGuard 旨在融入现有的 SOC 工作流: - **SIEM**:JSON 输出 (`--json`) 可接入 Splunk、Elastic 等。 - **Threat Intel 平台**:STIX 2.1 bundle 可直接导入 MISP、OpenCTI、ThreatConnect - **工单系统**:经过 defang 处理的 IOC 输出可安全用于 Jira/ServiceNow 工单 - **SOAR**:CLI 返回码支持自动化 (0=正常, 1=错误) - **CI/CD**:作为 email 模板的预部署检查运行 ## 安全提示 ⚠️ **请仅使用示例/测试邮件。** 请勿将包含 PII 的真实客户或生产环境邮件粘贴到任何公共工具或 AI 服务中。 ## 许可证 MIT — 查看 [LICENSE](LICENSE)。
标签:AI风险缓解, Kubernetes, Python, STIX, Streamlit, YARA, 云资产可视化, 威胁情报, 开发者工具, 无后门, 访问控制, 逆向工具, 钓鱼邮件分析