The Analyst Toolkit: Part 2 – URL Analysis 🛡️

Cybersecurity Learning and Career Growth. Advanced
, , , , , , , , ,
1

The Analyst Toolkit: Part 2 – URL Analysis :shield:

Welcome back to The Analyst Toolkit! In Part 1, we explored platforms like MalwareBazaar and URLHaus - great resources for gathering threat intelligence on malware samples and IOCs (indicators of compromise).

In part 2, we’ll focus on URL Analysis. This step is crucial when you’ve spotted a suspicious domain or link and need to evaluate its safety, activity, and behavior without risking impact to your own machine/device.

These tools allow you to view a website’s behavior such as what it loads, who it connects to, and if it’s flagged for malicious activity - all without directly visiting the site in your own browser!

:world_map: Progress Tracker

  • :white_check_mark: :globe_with_meridians: Malware and IOC Feeds
    • :white_check_mark: :toolbox: MalwareBazaar (Malware Repository)
    • :white_check_mark: :toolbox: URLHaus (Malicious URL Feed)
  • :arrow_right: :globe_with_meridians: URL Analysis
    • :white_large_square: :shield: URLScan (Website Behavior Analysis)
    • :white_large_square: :shield: Browserling (Browser Sandbox)
  • :white_large_square: :file_cabinet: File Analysis (Dynamic Sandboxing)
  • :white_large_square: :clipboard: Quiz: Test Your Knowledge

:shield: URLScan.io — Behavioral Analysis of Websites

URLScan.io is an online service that scans and analyzes websites in real-time. It shows how a webpage behaves, what resources it loads, and what domains it connects to, all in a virtualized browser.

I have personally used this tool several times during investigations to quickly triage things such as:

  • Suspicious URLs
  • Suspected phishing pages
  • C2 infrastructure
  • And more…

:magnifying_glass_tilted_right: Why Use URLScan?

  • Safe inspection of suspicious URLs - without visiting them directly.
  • Behavioral data: Network requests, JavaScript calls, redirections, and more.
  • Visual output: Snapshots, HTML DOM tree, linked domains.
  • Historical searches: See how a domain has changed over time.
  • Search by domain, hash, or IP - great for pivoting.

When is URLScan especially useful?

  • Phishing emails: When you’ve received a phishing email and need to verify the destination.
  • Suspicious Links: When a user reports or clicks a suspicious link.
  • Security Investigations: When you’re monitoring new infrastructure tied to a campaign.

:hammer_and_wrench: How to Use URLScan.io

  1. Visit https://urlscan.io/

  2. Paste your suspicious URL into the main input field and choose how to scan:

    • Public scan (shared with the community)
    • Private scan (only visible to you) - This is the one I’d most often recommend when performing an investigation.
    • Choose a user-agent or browser type for the scan.

Note: For my example scan I picked a URL from the malicious URL database we went over in part 1. https://urlhaus.abuse.ch/url/3537652/

  1. Launch the scan. It usually takes less than 60 seconds.

:test_tube: Reviewing the Results: How to Analyse a URLScan Report

Once your scan completes, you’ll be taken to a detailed dashboard. Even if no malicious verdict is shown, there’s a ton of useful investigative data to help you build a clearer picture.

Here’s how to interpret key sections:

:globe_showing_europe_africa: Summary Panel

Results from our URL Scan
Results from our URL Scan1314×1170 246 KB

  • Website Visual Snapshot: You can see a screenshot of what the website looks like when visited.
  • IP Address & Country: You can immediately see the resolved IP address (e.g., 92.205.161.6) and its geolocation (Strasbourg, France). This helps identify unusual geo locations, especially for a domain claiming to serve a specific audience.
  • Hosting Provider: This site uses GoDaddy’s infrastructure (host.secureserver.net). This is not malicious by default, but attackers sometimes abuse cheap shared hosting services.
  • TLS Certificate: The certificate is short-term (3 months). That’s not inherently bad, but short-lived certs can be a sign of disposable or fast-rotating infrastructure used in phishing campaigns.
  • Verdict: In this case, urlscan shows “No classification,” meaning nothing overtly malicious was triggered during scanning—but that doesn’t always mean it’s safe.

:globe_with_meridians: Domain Tree

image
image1328×1241 261 KB

  • This section maps which domains the website contacted during loading. You can see requests to:
    • fonts.googleapis.com, google-analytics.com, googletagmanager.com (common trackers)
    • streammain.top – might require deeper investigation.
  • Hover or click each domain to pivot into more scans or threat lookups. This is great for following potential attacker infrastructure.

:gear: Detected Technologies

image
image1328×1241 258 KB

  • urlscan identifies web stack components like:
    • WordPress (CMS)
    • Bootstrap, jQuery, and Google libraries
  • These help assess if the site is a custom build or template-based, and if it might be running outdated plugins (common in site compromises).

:satellite_antenna: HTTP Transactions

image
image1325×1301 130 KB

  • The HTTP tab lists all requests made—HTML, CSS, scripts, etc.—along with:
    • HTTP methods like GET and POST
    • Status codes (e.g. 200 OK, 404 Not Found)
    • Content types (images, scripts, fonts)
  • Use this to spot things such as unexpected JavaScript, POST requests submitting data, or failed connections which may hint at broken or removed malicious functionality.

:link: Links Tab

image
image1019×783 49.7 KB

  • Shows outgoing links to external websites, such as:
    • facebook.com, youtube.com (social links)
    • betzoid.com, jooble.org — unfamiliar or potentially low-trust destinations
  • Clicking these allows you to scan and investigate further—especially useful for spotting affiliate scams or redirect chains (redirects can also be specifically viewed on the previous tab).

:brain: Behaviour Tab

image
image1326×1303 134 KB

  • Displays JavaScript global variables and cookies set by the page.
  • Cookies with strange names, persistent expiry dates, or non-standard values can indicate tracking or fingerprinting behavior.
  • Variables can also show if the page uses login logic, user tracking, or obfuscation techniques.

:open_mailbox_with_raised_flag: Form Analysis

image
image1334×1295 83 KB

  • Lists all detected HTML forms. In this case:
    • A login form and forgot password form are present.
    • These are relevant in phishing scenarios, where stolen credentials are submitted.
  • You can review where the forms POST data to, and if that looks suspicious or redirects elsewhere.

:brain: Similar Domains Tab

image
image1336×1139 96.2 KB

  • Highlights other domains hosted on the same IP or infrastructure.
  • If dozens of unrelated domains share an IP, it might point to a shared server compromise.
  • Useful for mapping attacker clusters or discovering related threats.

:high_voltage: Analyst Tip:

Treat URLScan.io as a passive intelligence tool—it won’t always give you a simple yes/no verdict, but it offers valuable clues. Combine these findings with other sources like URLHaus or VirusTotal, and ask yourself:

  • What is this domain trying to do?
  • Who is it talking to?
  • What resources is it loading, and where is data being sent?

These are the kinds of questions that build your analyst ‘picture’ and own verdict—which is often more powerful than any automated classification.

Want to practice? Pick a suspicious URL from URLHaus and run your own scan on URLScan.io.
Try to build your own verdict—and see what pieces of the puzzle stand out to you.

:shield: Browserling — Disposable Browsing Sandbox

Browserling is a unique, real-time browser sandbox. This tool gives you a direct, disposable interactive browser access—ideal when you need to manually inspect a webpage without it touching your machine.

Browserling is lightweight, simple, and doesn’t require installations—just open, type in a URL, and browse in isolation.

:magnifying_glass_tilted_right: Why Use Browserling?

  • Fully interactive web browsing in a sandboxed environment.
  • Great for manual verification when automated scans (like URLScan) don’t give enough insight, or for further information gathering.
  • Safe inspection of sketchy popups, forms, or page interactions.
  • Ideal for analysts, researchers, and developers.

:hammer_and_wrench: How to Use Browserling

image
image1327×737 49.5 KB

  1. Go to https://browserling.com

  2. Choose your browser (Chrome, Firefox, etc.) and version.

  3. Paste the URL you want to visit.

  4. Start browsing—all activity is isolated to the cloud browser.

Note: Free sessions are limited in time. Paid plans offer extended browsing and more features. You will most likely have to wait in a queue until you can view the website!

In our example, I have re-used the URL we analysing earlier on URLScan. We can safely navigate and interact with the web page.

Interactive Website via Browserling
Interactive Website via Browserling1183×819 116 KB

:high_voltage: Analyst Tip:

Browserling is best when:

  • You want to fill out forms or interact with elements on a suspicious site.
  • A static scan doesn’t capture behavior like form submissions or pop-ups.
  • You’re investigating social engineering lures, fake login pages, or credential theft attempts.

You can even use it for safe visual screenshots or proof-of-concept demos when writing reports.

:brain: Final Thoughts: Analyst Context Over Tool Verdicts

As you’ve seen in this walkthrough, tools like URLScan.io and Browserling are incredibly valuable for analyzing suspicious websites—without putting your system at risk.

You can extract and investigate:

  • IP addresses and hosting infrastructure
  • Outgoing links and contacted domains
  • Suspicious form behaviors, scripts, and cookies
  • TLS details, redirects, and visual indicators

But sometimes, even with all this data, the answer isn’t clear-cut.

Take our example: a domain flagged by URLHaus as malicious, yet URLScan showed no malicious verdict. Why?

  • The site may have hosted malware previously, but no longer does—or it may serve content only to certain IPs or browsers.
  • The site is mostly static, showing no active red flags during passive analysis.
  • It uses infrastructure commonly seen in both benign and malicious sites, such as WordPress and GoDaddy hosting.

This is where your analyst judgment becomes critical.

Threat analysis isn’t about one tool giving you a green or red light. It’s about bringing together multiple pieces of evidence:

  • Threat feeds :white_check_mark:
  • Sandbox behavior :white_check_mark:
  • Infrastructure metadata :white_check_mark:
  • Visual inspection :white_check_mark:
  • Contextual intuition :white_check_mark:

When one tool gives you little to go on, that’s your signal to dig deeper, pivot, and build a bigger picture.

:bullseye: Try It Yourself

Want to sharpen your skills?

Pick a suspicious URL from URLHaus and:

  • Run it through URLScan.io to observe behavior.
  • Open it in Browserling to interact safely.
  • Use your judgment to reach a conclusion—safe, suspicious, or malicious?

The more you practice, the sharper your instincts become.

:puzzle_piece: Wrapping Up Part 2: URL Analysis

In this second part of The Analyst Toolkit, you’ve learned how to safely investigate suspicious URLs using two powerful tools:

  • URLScan.io — for automated behavior analysis and network visualizations.
  • Browserling.com — for interactive, sandboxed browsing of potentially malicious web content.

Together, these give you safe visibility into what a suspicious website is doing—without ever exposing yourself or your organisation.

:white_check_mark: Progress Tracker

  • :white_check_mark: :globe_with_meridians: Malware and IOC Feeds
    • :white_check_mark: :toolbox: MalwareBazaar
    • :white_check_mark: :toolbox: URLHaus
  • :white_check_mark: :globe_with_meridians: URL Analysis
    • :white_check_mark: :shield: URLScan
    • :white_check_mark: :shield: Browserling
  • :soon_arrow: :file_cabinet: File Analysis (Dynamic Sandboxing)
    • :white_large_square: :test_tube: AnyRun
    • :white_large_square: :test_tube: Hybrid Analysis
  • :white_large_square: :clipboard: Quiz: Test Your Knowledge

:soon_arrow: What’s Next: File Analysis

In Part 3, we’ll dive into dynamic sandboxing platforms like AnyRun and Hybrid Analysis—tools that let you run suspicious files in a safe, controlled environment and observe exactly what they do.

:speech_balloon: Got Questions or Thoughts?

Please feel free to join and contribute here! :busts_in_silhouette: Join Our Community It would be great to hear from other members of the community and share knowledge! :slight_smile:

:toolbox: For a full list of all the investigation tools covered in this blog—and others you can explore or use in your own analysis—check out our curated resource:
:link: Investigation & Threat Analysis Toolkit

:globe_with_meridians: Connect with me:
:bird: Twitter
:newspaper: Stay Updated with Our Cybersecurity Newsletter