CompTIA CySA+ (CS0-003) — Question 216

An end user forwarded an email with a file attachment to the SOC for review. The SOC analysts think the file was specially crafted for the target. Which of the following investigative actions would best determine if the attachment was malicious?

Answer options

• A. Review the file in Virus Total to determine if the domain is associated with any phishing.
• B. Review the email header to analyze the DKIM, DMARC, and SPF values.
• C. Review the source IP address in AbuseIPDB.
• D. Review the attachment’s behavior in a sandbox environment while running Wireshark.

Correct answer: D

Explanation

The correct answer is D because analyzing the attachment's behavior in a sandbox provides direct insight into whether the file exhibits malicious activity. Options A, B, and C offer indirect methods of assessment that do not guarantee detection of harmful behavior, as they focus on domain reputation, email authentication, and IP address checks respectively.