How to Screen (Potentially) Malicious URLs

Hi all -

I am still a new cyber analyst, and I often check IOCs that I find in the news for any prevalence in my environment.

One thing I struggle with is determining if the site is truly malicious or not. I am looking for some feedback on what else I can check for to determine if these sites are suspicious, malicious, etc.

My current process:

1. Check news for IOC (Domain in this case)
2. KQL to search for any URLClicks/RemoteURL connections
3. I receive results that a device connected to the (potentially) malicious URL
4. Check VT for reputation
5. Check proxy for confirmation of connection to the site
6. Sandbox the URL
7. Check device timeline for around the time of the URL click

Where I struggle is with this.

1. When I sandbox the URL, I don't see anything malicious.
   1. What should I be looking for?
   2. What should I check to determine if this is a legitimate site, or a malicious one.
   3. What indicators on the site truly determine maliciousness, and how can I find them?
2. When I check VT, what should I look for on here aside for the 'Reputation Score'/Community score
   1. Is there anything on here I can look for on here to assist me in determining if this site is malicious or not?
3. Is there anything else I can check? I feel like all I do is visit the site, click around, then that's it. I never seem to find any .exe, scripts, etc.

A most recent example of sites would be survey-smiles[.]com. Clearly malicious, but, what should be 'THE' process for analyzing these URLs?

I know this is a dumb question, but I honestly don't know how to check for these things, and my team is relatively new as well. Any pointers would be greatly appreciated!