Analyzing Malicious URL with URLScan

Overview

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolated environment. This guide covers using URLScan's web interface and API to investigate phishing URLs, credential harvesting pages, and malicious redirects without exposing the analyst's system to risk.

Prerequisites

URLScan.io account (free tier available, API key for automation)
Python 3.8+ with requests library
Understanding of HTTP protocols and web technologies
Familiarity with phishing URL patterns

Key Concepts

URLScan Capabilities

Safe browsing: Renders URLs in isolated Chromium instance
Screenshot capture: Visual snapshot of the rendered page
DOM analysis: Full HTML content after JavaScript execution
Network log: All HTTP requests made by the page (HAR format)
Certificate analysis: SSL/TLS certificate details
Technology detection: Identifies web frameworks and libraries
IP/ASN mapping: Infrastructure intelligence
Verdict: Community and automated classification

Phishing URL Red Flags

Newly registered domains (< 30 days)
Free hosting services (Wix, GitHub Pages, Firebase)
URL shorteners hiding final destination
Excessive subdomain depth (login.microsoft.com.evil.com)
Brand name in subdomain or path, not domain
Non-standard ports
Data URIs or base64-encoded content
JavaScript-heavy pages with minimal HTML

Implementation Steps

Step 1: Submit URL to URLScan

Web: Navigate to https://urlscan.io and submit the suspicious URL
API: POST https://urlscan.io/api/v1/scan/
     Header: API-Key: your-api-key
     Body: {"url": "https://suspicious-url.com", "visibility": "private"}

Step 2: Analyze Results

Review screenshot for brand impersonation
Check redirects and final destination URL
Examine DOM for credential input forms
Review network requests for data exfiltration endpoints
Check SSL certificate validity and issuer

Step 3: Extract IOCs

Domains and IPs contacted
URLs in redirect chain
SHA-256 hashes of page resources
JavaScript file hashes

Step 4: Cross-Reference with Threat Intelligence

Use the scripts/process.py to automate URL scanning, extract IOCs, and cross-reference with VirusTotal, PhishTank, and Google Safe Browsing.

Tools & Resources

URLScan.io: https://urlscan.io/
URLScan API: https://urlscan.io/docs/api/
VirusTotal URL Scanner: https://www.virustotal.com/
PhishTank: https://phishtank.org/
Google Safe Browsing: https://transparencyreport.google.com/safe-browsing/search
Any.Run: https://any.run/ (interactive sandbox)
Hybrid Analysis: https://www.hybrid-analysis.com/

Validation

Successfully scan a suspicious URL via API
Extract screenshot and identify brand impersonation
Document complete redirect chain
Generate IOC list from scan results
Cross-reference findings with at least 2 threat intelligence sources

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC7.2 (Anomaly Detection)
ISO 27001: A.7.2 (Information Security Awareness), A.13.2 (Information Transfer)
NIST 800-53: AT-2 (Awareness Training), SI-8 (Spam Protection), SC-7 (Boundary Protection)
NIST CSF: PR.AT (Awareness & Training), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add analyzing-malicious-url-with-urlscan

# Or load dynamically via MCP
grc.load_skill("analyzing-malicious-url-with-urlscan")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Analyzing Malicious URL with URLScan

Overview

Prerequisites

URLScan.io account (free tier available, API key for automation)
Python 3.8+ with requests library
Understanding of HTTP protocols and web technologies
Familiarity with phishing URL patterns

Key Concepts

URLScan Capabilities

Safe browsing: Renders URLs in isolated Chromium instance
Screenshot capture: Visual snapshot of the rendered page
DOM analysis: Full HTML content after JavaScript execution
Network log: All HTTP requests made by the page (HAR format)
Certificate analysis: SSL/TLS certificate details
Technology detection: Identifies web frameworks and libraries
IP/ASN mapping: Infrastructure intelligence
Verdict: Community and automated classification

Phishing URL Red Flags

Newly registered domains (< 30 days)
Free hosting services (Wix, GitHub Pages, Firebase)
URL shorteners hiding final destination
Excessive subdomain depth (login.microsoft.com.evil.com)
Brand name in subdomain or path, not domain
Non-standard ports
Data URIs or base64-encoded content
JavaScript-heavy pages with minimal HTML

Implementation Steps

Step 1: Submit URL to URLScan

Web: Navigate to https://urlscan.io and submit the suspicious URL
API: POST https://urlscan.io/api/v1/scan/
     Header: API-Key: your-api-key
     Body: {"url": "https://suspicious-url.com", "visibility": "private"}

Step 2: Analyze Results

Review screenshot for brand impersonation
Check redirects and final destination URL
Examine DOM for credential input forms
Review network requests for data exfiltration endpoints
Check SSL certificate validity and issuer

Step 3: Extract IOCs

Domains and IPs contacted
URLs in redirect chain
SHA-256 hashes of page resources
JavaScript file hashes

Step 4: Cross-Reference with Threat Intelligence

Use the scripts/process.py to automate URL scanning, extract IOCs, and cross-reference with VirusTotal, PhishTank, and Google Safe Browsing.

Tools & Resources

URLScan.io: https://urlscan.io/
URLScan API: https://urlscan.io/docs/api/
VirusTotal URL Scanner: https://www.virustotal.com/
PhishTank: https://phishtank.org/
Google Safe Browsing: https://transparencyreport.google.com/safe-browsing/search
Any.Run: https://any.run/ (interactive sandbox)
Hybrid Analysis: https://www.hybrid-analysis.com/

Validation

Successfully scan a suspicious URL via API
Extract screenshot and identify brand impersonation
Document complete redirect chain
Generate IOC list from scan results
Cross-reference findings with at least 2 threat intelligence sources

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC7.2 (Anomaly Detection)
ISO 27001: A.7.2 (Information Security Awareness), A.13.2 (Information Transfer)
NIST 800-53: AT-2 (Awareness Training), SI-8 (Spam Protection), SC-7 (Boundary Protection)
NIST CSF: PR.AT (Awareness & Training), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add analyzing-malicious-url-with-urlscan

# Or load dynamically via MCP
grc.load_skill("analyzing-malicious-url-with-urlscan")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Analyzing Malicious URL with URLScan

Overview

Prerequisites

Key Concepts

URLScan Capabilities

Phishing URL Red Flags

Implementation Steps

Step 1: Submit URL to URLScan

Step 2: Analyze Results

Step 3: Extract IOCs

Step 4: Cross-Reference with Threat Intelligence

Tools & Resources

Validation

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Implementing Anti Phishing Training Program

Implementing DMARC DKIM SPF Email Security

Implementing Email Sandboxing with Proofpoint

Performing Phishing Simulation with GoPhish

Analyzing Phishing Email Headers

Detecting Business Email Compromise

Prerequisites

Analyzing Malicious URL with URLScan

Overview

Prerequisites

Key Concepts

URLScan Capabilities

Phishing URL Red Flags

Implementation Steps

Step 1: Submit URL to URLScan

Step 2: Analyze Results

Step 3: Extract IOCs

Step 4: Cross-Reference with Threat Intelligence

Tools & Resources

Validation

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Implementing Anti Phishing Training Program

Implementing DMARC DKIM SPF Email Security

Implementing Email Sandboxing with Proofpoint

Performing Phishing Simulation with GoPhish

Analyzing Phishing Email Headers

Detecting Business Email Compromise