trac3r00/phishing-analyzer
GitHub: trac3r00/phishing-analyzer
PhishGuard 是一款集成多信号评分、YARA 扫描与威胁情报查询的钓鱼邮件自动化分析工具,帮助安全团队快速研判并导出标准化威胁情报。
Stars: 0 | Forks: 0
# 🛡️ PhishGuard

[](https://opensource.org/licenses/MIT)
[](https://oasis-open.github.io/cti-documentation/stix/intro)
[](https://virustotal.github.io/yara/)
## 功能简介
PhishGuard 接收一个 `.eml` 文件,并运行真实 SOC 环境中使用的**完整分析 pipeline**:
| 模块 | 功能 |
|--------|----------|
| **Email Parser** | RFC 5322 header 提取,multipart body 解析,附件提取及 hash 计算 (MD5/SHA1/SHA256),received-hop 链重建 |
| **Auth Validator** | 实时 DNS 查询 SPF, DMARC, DKIM 记录。解析 Authentication-Results header。标记缺失/薄弱的策略 |
| **URL Intelligence** | 从文本和 HTML 中提取 URL,追踪重定向链 (HTTP 3xx),进行 defang 处理以便安全共享,homoglyph 检测,标记可疑的 TLD/短链接/IP-URL |
| **IOC Extractor** | 提取 IPv4, IPv6, domain, email 地址, URL, file hash (MD5/SHA1/SHA256)。去重及 defang 处理 |
| **YARA Scanner** | 使用 7 条内置规则扫描附件:VBA macros、混淆 macros、HTML 凭据表单、伪装的 executable、JS dropper、可疑 PDF、RTF exploit |
| **Threat Intel** | VirusTotal API v3 (URL/hash/domain 检查),AbuseIPDB v2 (IP 信誉) |
| **Risk Scorer** | 跨 6 个类别的多信号综合评分:Auth、URL、Social Engineering、Attachment、Header Anomaly、IOC Density。输出:Clean / Low / Medium / High / Critical |
| **STIX 2.1 导出** | 包含 Indicators、ThreatActor、Relationships、Report 对象的完整 STIX bundle。可直接导入 MISP/OpenCTI |
## 快速开始
```
git clone https://github.com/trac3r00/phishing-analyzer.git
cd phishing-analyzer
python3 -m venv .venv && source .venv/bin/activate
pip install -e "."
# 完整分析
phishguard analyze samples/phish_paypal.eml
# 带 STIX 导出
phishguard analyze samples/phish_paypal.eml --stix report.stix.json
# 仅提取 IOC(已进行 defang 处理以便安全共享)
phishguard ioc samples/phish_paypal.eml --defanged
# 检查域身份验证
phishguard auth-check paypa1-support.xyz
```
### 可选:YARA 扫描
```
pip install yara-python
# 附件现在将自动扫描
```
### 可选:Threat Intel enrichment
```
export VT_API_KEY="your-virustotal-api-key"
export ABUSEIPDB_API_KEY="your-abuseipdb-key"
```
## CLI 命令
```
phishguard analyze Full analysis pipeline
--json Output structured JSON
--stix Export STIX 2.1 bundle
--no-dns Skip DNS lookups (offline mode)
--no-redirects Skip URL redirect tracing
phishguard ioc Extract IOCs
--defanged Output defanged values
phishguard auth-check Check SPF/DKIM/DMARC
```
## 示例输出
```
════════════════════════════════════════════════════════════
PhishGuard — Phishing Email Analysis Report
════════════════════════════════════════════════════════════
▶ Parsing email...
Subject: URGENT: Your account has been suspended - Action Required
From: PayPal Security Team
To: victim@company.com
Attachments: 1
⚠ Header Anomalies:
• Reply-To mismatch: From≠Reply-To (phisher-reply@gmail.com)
• Return-Path mismatch: From≠Return-Path
▶ Extracting IOCs...
IPs: 2 | Domains: 6 | URLs: 4 | Emails: 5 | Total: 17
▶ Analyzing URLs...
[SUSPICIOUS] hxxp://192[.]168[.]44[.]2/paypal-verify — IP-based URL
[SUSPICIOUS] hxxp://paypa1-support[.]xyz/verify — Suspicious TLD (.xyz)
[SUSPICIOUS] hxxps://bit[.]ly/3xR9fakePayPal — URL shortener
════════════════════════════════════════════════════════════
VERDICT: Critical (Score: 53)
Top signals: Social Engineering (31 pts), URL Analysis (9 pts)
Recommendation: BLOCK immediately. Quarantine email. Extract IOCs.
════════════════════════════════════════════════════════════
```
## 架构
```
flowchart TD
EML([".eml file"])
EML --> PARSER["Email Parser
headers · body · attachments"] PARSER --> AUTH["Auth Validator
SPF / DKIM / DMARC
(live DNS)"] PARSER --> IOC["IOC Extractor
IPs · domains
hashes · emails"] PARSER --> URL["URL Intelligence
redirect chain
TLD / shortener · homoglyphs"] PARSER --> YARA["YARA Scanner
7 built-in rules"] URL --> TI["Threat Intel
VirusTotal · AbuseIPDB"] AUTH --> SCORER["Risk Scorer
6 categories · 5 levels"] IOC --> SCORER URL --> SCORER YARA --> SCORER TI --> SCORER SCORER --> CLI["CLI Report
colored terminal"] SCORER --> STIX["STIX 2.1 Bundle
(JSON)"] ``` ## 内置 YARA 规则 | 规则 | 检测内容 | 严重程度 | |------|---------|----------| | `Phish_Office_Macro_VBA` | 带有 shell/PowerShell 执行的 VBA macros | High | | `Phish_Office_Macro_Obfuscated` | 混淆的 VBA (Chr() 拼接, Base64) | Critical | | `Phish_HTML_Credential_Form` | 带有密码输入和 form action 的 HTML 文件 | High | | `Phish_Executable_Disguised` | 伪装成文档的 PE executable | Critical | | `Phish_JavaScript_Dropper` | 带有 WScript/ActiveX 下载并执行的 JavaScript | High | | `Phish_PDF_Suspicious_Action` | 嵌入 JavaScript/Launch action 的 PDF | Medium | | `Phish_RTF_Exploit` | 带有 OLE 对象的 RTF (CVE-2017-11882 特征) | Critical | ## 社会工程学检测 涵盖 6 个类别的 40 多种模式: - ⏰ **紧迫感** — "立即行动"、"过期"、"最后警告",施加截止日期压力 - 🎣 **凭据收集** — "验证您的账户"、"确认密码",索要 PII - 🎭 **冒充** — 通用称呼、"安全团队"、品牌名称 - ⚡ **威胁** — "未经授权的访问"、"采取法律行动"、账户关闭 - 🎁 **诱饵** — "您已中奖"、"免费奖品"、"遗产" - 🔗 **链接/附件施压** — "点击此处"、"启用 macros"、"下载并运行" ## 项目结构 ``` phishing-analyzer/ ├── phishguard/ │ ├── __init__.py │ ├── cli.py # CLI interface │ ├── core/ │ │ ├── __init__.py # Email parser (.eml) │ │ ├── auth.py # SPF/DKIM/DMARC validation │ │ ├── url_intel.py # URL analysis + redirect tracing │ │ ├── ioc.py # IOC extraction │ │ └── scorer.py # Multi-signal risk scoring │ ├── intel/ │ │ └── __init__.py # VirusTotal + AbuseIPDB clients │ ├── reports/ │ │ └── __init__.py # STIX 2.1 bundle export │ └── yara_rules/ │ ├── __init__.py # YARA scanner engine │ └── phishing.yar # 7 built-in detection rules ├── samples/ # Sample .eml files ├── tests/ # 24 test cases ├── pyproject.toml └── README.md ``` ## 运行测试 ``` source .venv/bin/activate pytest tests/ -v ``` ## 集成 PhishGuard 旨在融入现有的 SOC 工作流: - **SIEM**:JSON 输出 (`--json`) 可接入 Splunk、Elastic 等。 - **Threat Intel 平台**:STIX 2.1 bundle 可直接导入 MISP、OpenCTI、ThreatConnect - **工单系统**:经过 defang 处理的 IOC 输出可安全用于 Jira/ServiceNow 工单 - **SOAR**:CLI 返回码支持自动化 (0=正常, 1=错误) - **CI/CD**:作为 email 模板的预部署检查运行 ## 安全提示 ⚠️ **请仅使用示例/测试邮件。** 请勿将包含 PII 的真实客户或生产环境邮件粘贴到任何公共工具或 AI 服务中。 ## 许可证 MIT — 查看 [LICENSE](LICENSE)。
headers · body · attachments"] PARSER --> AUTH["Auth Validator
SPF / DKIM / DMARC
(live DNS)"] PARSER --> IOC["IOC Extractor
IPs · domains
hashes · emails"] PARSER --> URL["URL Intelligence
redirect chain
TLD / shortener · homoglyphs"] PARSER --> YARA["YARA Scanner
7 built-in rules"] URL --> TI["Threat Intel
VirusTotal · AbuseIPDB"] AUTH --> SCORER["Risk Scorer
6 categories · 5 levels"] IOC --> SCORER URL --> SCORER YARA --> SCORER TI --> SCORER SCORER --> CLI["CLI Report
colored terminal"] SCORER --> STIX["STIX 2.1 Bundle
(JSON)"] ``` ## 内置 YARA 规则 | 规则 | 检测内容 | 严重程度 | |------|---------|----------| | `Phish_Office_Macro_VBA` | 带有 shell/PowerShell 执行的 VBA macros | High | | `Phish_Office_Macro_Obfuscated` | 混淆的 VBA (Chr() 拼接, Base64) | Critical | | `Phish_HTML_Credential_Form` | 带有密码输入和 form action 的 HTML 文件 | High | | `Phish_Executable_Disguised` | 伪装成文档的 PE executable | Critical | | `Phish_JavaScript_Dropper` | 带有 WScript/ActiveX 下载并执行的 JavaScript | High | | `Phish_PDF_Suspicious_Action` | 嵌入 JavaScript/Launch action 的 PDF | Medium | | `Phish_RTF_Exploit` | 带有 OLE 对象的 RTF (CVE-2017-11882 特征) | Critical | ## 社会工程学检测 涵盖 6 个类别的 40 多种模式: - ⏰ **紧迫感** — "立即行动"、"过期"、"最后警告",施加截止日期压力 - 🎣 **凭据收集** — "验证您的账户"、"确认密码",索要 PII - 🎭 **冒充** — 通用称呼、"安全团队"、品牌名称 - ⚡ **威胁** — "未经授权的访问"、"采取法律行动"、账户关闭 - 🎁 **诱饵** — "您已中奖"、"免费奖品"、"遗产" - 🔗 **链接/附件施压** — "点击此处"、"启用 macros"、"下载并运行" ## 项目结构 ``` phishing-analyzer/ ├── phishguard/ │ ├── __init__.py │ ├── cli.py # CLI interface │ ├── core/ │ │ ├── __init__.py # Email parser (.eml) │ │ ├── auth.py # SPF/DKIM/DMARC validation │ │ ├── url_intel.py # URL analysis + redirect tracing │ │ ├── ioc.py # IOC extraction │ │ └── scorer.py # Multi-signal risk scoring │ ├── intel/ │ │ └── __init__.py # VirusTotal + AbuseIPDB clients │ ├── reports/ │ │ └── __init__.py # STIX 2.1 bundle export │ └── yara_rules/ │ ├── __init__.py # YARA scanner engine │ └── phishing.yar # 7 built-in detection rules ├── samples/ # Sample .eml files ├── tests/ # 24 test cases ├── pyproject.toml └── README.md ``` ## 运行测试 ``` source .venv/bin/activate pytest tests/ -v ``` ## 集成 PhishGuard 旨在融入现有的 SOC 工作流: - **SIEM**:JSON 输出 (`--json`) 可接入 Splunk、Elastic 等。 - **Threat Intel 平台**:STIX 2.1 bundle 可直接导入 MISP、OpenCTI、ThreatConnect - **工单系统**:经过 defang 处理的 IOC 输出可安全用于 Jira/ServiceNow 工单 - **SOAR**:CLI 返回码支持自动化 (0=正常, 1=错误) - **CI/CD**:作为 email 模板的预部署检查运行 ## 安全提示 ⚠️ **请仅使用示例/测试邮件。** 请勿将包含 PII 的真实客户或生产环境邮件粘贴到任何公共工具或 AI 服务中。 ## 许可证 MIT — 查看 [LICENSE](LICENSE)。
标签:AI风险缓解, Kubernetes, Python, STIX, Streamlit, YARA, 云资产可视化, 威胁情报, 开发者工具, 无后门, 访问控制, 逆向工具, 钓鱼邮件分析