CompTIA Security+ (SY0-601) — Question 743

A document that appears to be malicious has been discovered in an email that was sent to a company's Chief Financial Officer (CFO). Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain?

Answer options

• A. Open the document on an air-gapped network.
• B. View the document's metadata for origin clues.
• C. Search for matching file hashes on malware websites.
• D. Detonate the document in an analysis sandbox.

Correct answer: C

Explanation

The best approach is to search for matching file hashes on malware websites, as this allows the analyst to identify known malicious files without executing any potentially harmful code. Opening the document on an air-gapped network or detonating it in a sandbox could pose risks, while viewing metadata may not provide definitive evidence of malicious intent.