Report - www.attacker.com/evil.xls

Report Overview

Submitted URL
www.attacker.com/evil.xls
IP
45.88.202.115
ASN
#48357 K4X OU
Submitted
2024-05-08 15:06:01
Access
public
Website Title
Attacker - The Domain Name Attacker.com is Now For Sale.
Final URL
attacker.com/evil.xls
Tags
urlquery detections
No alerts detected

Detections

urlquery
0
Network Intrusion Detection
0
Threat Detection Systems
56

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
fonts.gstatic.com	unknown	2008-02-11	2014-09-09	2024-05-08	2.7 kB	148 kB	216.58.207.227
pixel.epik.com	403460	1998-04-16	2020-11-24	2023-11-25	836 B	338 B	102.223.180.96
ekr.zdassets.com	2396	2013-01-28	2018-06-14	2024-05-07	458 B	290 kB	104.18.70.113
fonts.googleapis.com	8877	2005-01-25	2013-06-10	2024-05-07	1.3 kB	20 kB	142.250.74.106
static.zdassets.com	2154	2013-01-28	2018-06-24	2024-05-07	861 B	1.0 MB	104.18.70.113
www.attacker.com	unknown	1999-03-06	2012-10-16	2024-02-14	479 B	370 B	45.88.202.115
attacker.com	unknown	1999-03-06	2012-08-07	2024-04-18	6.4 kB	136 kB	45.88.202.115
cust-api.trustratings.com	381772	2000-02-25	2019-12-28	2023-11-25	572 B	2.2 kB	136.243.10.248

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

Scan Date	Severity	Indicator	Alert
2022-07-12	medium	attacker.com/css/bootstrap-custom.min.css	Other
2022-07-12	medium	attacker.com/css/parking2.min.css?v=6	Other
2022-07-12	medium	attacker.com/js/lab.min.js	Other
2022-07-12	medium	attacker.com/js/global.js?v=1	Other
2022-07-12	medium	attacker.com/images/epik-domain-names-dark.svg?v=1	Other
2022-07-12	medium	attacker.com/images/parking2/payments/cc.svg	Other
2022-07-12	medium	attacker.com/images/parking2/payments/paypal.svg	Other
2022-07-12	medium	attacker.com/images/parking2/payments/in_store_credit.svg	Other
2022-07-12	medium	attacker.com/images/parking2/payments/ach.svg	Other
2022-07-12	medium	attacker.com/favicon.ico	Other
2022-07-12	medium	attacker.com/evil.xls	Other
2022-07-12	medium	attacker.com/images/parking2/bg/a18.jpg	Other
2022-07-12	medium	attacker.com/images/opt/css_sprites.png	Other

mnemonic secure dns

No alerts detected

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed
2024-05-08	medium	attacker.com	Sinkholed

ThreatFox

No alerts detected

JavaScript (14)

	URL	Size	First Seen	Last Seen
	attacker.com/evil.xls	503 B	2023-03-07	2024-05-15
Pretty URL attacker.com/evil.xls IP 45.88.202.115 ASN #48357 K4X OU Introduced by scriptElement Embedded in HTML true Observations First Seen2023-03-07 14:52:59 Last Seen2024-05-15 22:18:10 Times Seen215 Hash 7afd8ec8b107440dd5b9b97ffd741aeb 6b2af8755871c434f58401b577c33f98f86278d1 1abb7c8345dfea671293202daf2d7edb43f8af648dc0151775db964f7b6c6cde Loading...

	attacker.com/evil.xls	60 B	2023-03-07	2024-05-15
Pretty URL attacker.com/evil.xls IP 45.88.202.115 ASN #48357 K4X OU Introduced by scriptElement Embedded in HTML true Observations First Seen2023-03-07 14:52:59 Last Seen2024-05-15 22:18:10 Times Seen162 Hash 4565f7185c529cb80f4bf611467329e0 276632bf2a2f4187840d650327170a9438886a2c 2c7e3d808764189c15cd1d9ebea39226f6c19747cba202f5114cd61c0af47bcd Loading...

	static.zdassets.com/ekr/snippet.js?key=1546ebb5-45e1-49c4-94dc-4b5d44a6d66c	10 kB	2024-01-15	2024-05-19
Pretty URL static.zdassets.com/ekr/snippet.js?key=1546ebb5-45e1-49c4-94dc-4b5d44a6d66c IP 104.18.70.113 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2024-01-15 08:52:01 Last Seen2024-05-19 23:40:31 Times Seen3910 Hash c0053b411b753138af468db1bd3b19f3 7c3a187aa58f2b9e5446edb761b3d4d2ba506fe7 ce337ec7dda4b3a741363a2673c7edce5c736f1660e2aa908131ecfd9dd1343f Loading...

	unknown	77 B	2023-04-13	2024-05-19
Pretty Introduced by Function Embedded in HTML false Observations First Seen2023-04-13 16:08:45 Last Seen2024-05-19 17:08:08 Times Seen1767 Hash 5ada4f545e5b41cc9774b9c537654481 7aeac43d786855f9d50588ebf2ad0428aa7a08dd c95b3fc54062c581e2d235f25aa9074b000bd2c718804455238fc5ea286fb0c0 Loading...

	attacker.com/evil.xls	753 B	2023-03-07	2024-05-15
Pretty URL attacker.com/evil.xls IP 45.88.202.115 ASN #48357 K4X OU Introduced by scriptElement Embedded in HTML true Observations First Seen2023-03-07 14:52:59 Last Seen2024-05-15 22:18:10 Times Seen165 Hash 1df7db4198ceaf590098823a286204fb a0da12deb58ea99699e806115a4b2842f6fdfadc f2597d9cc3691e795cdb008e9439bb959ff3bae05ce7f5a244a20415b1130ce7 Loading...

	attacker.com/evil.xls	1.7 kB	2023-03-08	2024-05-15
Pretty URL attacker.com/evil.xls IP 45.88.202.115 ASN #48357 K4X OU Introduced by scriptElement Embedded in HTML true Observations First Seen2023-03-08 19:48:07 Last Seen2024-05-15 22:18:10 Times Seen165 Hash b0cd30e214cf2522c8732d4e6837eb7f e6d1b9159dd136d4a147bc070b933e919c5f3e92 96437dd10bf3a29f171ac1bcfebf5048961a065045db351d8c15dbd6b3e2b4af Loading...

	unknown	38 B	2023-04-10	2024-05-20
Pretty Introduced by eventHandler Embedded in HTML false Observations First Seen2023-04-10 16:02:06 Last Seen2024-05-20 00:58:26 Times Seen14599 Hash 43e28c5553d54ed2964bd5147521769b 0a2b8c3db330a47aa7b9195e6dfdf944adb9240d d63026c985dc46aeb316574b7bf1828080c906238e35d5e34cb80414c0e70d23 Loading...

	static.zdassets.com/web_widget/classic/latest/web-widget-main-2c036c6.js	992 kB	2024-05-07	2024-05-09
Pretty URL static.zdassets.com/web_widget/classic/latest/web-widget-main-2c036c6.js IP 104.18.70.113 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 16:35:59 Last Seen2024-05-09 10:18:28 Times Seen51 Hash 15ab335ec444bd9db9a9d1c26b109125 f976fb2a04b4c80d8a8340675c5c700e893081a8 6e248dcdaba5385442531a33cbc7407ed37e4d00e70588480f5b17e4a2b8d4c8 Loading...

	attacker.com/js/lab.min.js	4.5 kB	2023-03-07	2024-05-15
Pretty URL attacker.com/js/lab.min.js IP 45.88.202.115 ASN #48357 K4X OU Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:17:06 Last Seen2024-05-15 22:18:11 Times Seen284 Hash 5bae8f54eb5be64b131e498e2c233bbc 25aa4807d5d07f1dbd9705866fbe6540ad0fd1d5 565169484eb0f13570db78742dcf091e83129a2a0471ae485aa13a890f378258 Loading...

	attacker.com/evil.xls	400 B	2023-03-13	2024-05-08
Pretty URL attacker.com/evil.xls IP 45.88.202.115 ASN #48357 K4X OU Introduced by scriptElement Embedded in HTML true Observations First Seen2023-03-13 13:26:26 Last Seen2024-05-08 17:06:22 Times Seen33 Hash afae3c751e0aaaa7cbb681d497c26632 81d785d022a4a20cf5d9059321ce360fed21203a 4d1692f29908f5c032ccc90c19e0c982b2f87e0f3ea4a6062c8c4cb8ec61fda9 Loading...

	attacker.com/js/openpixel.min.js?t=1715212800000	7.1 kB	2023-03-07	2024-05-15
Pretty URL attacker.com/js/openpixel.min.js?t=1715212800000 IP 45.88.202.115 ASN #48357 K4X OU Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:17:06 Last Seen2024-05-15 22:18:11 Times Seen273 Hash c3f7401540792da8651fd98ba29d6234 18031b36055b29f303e50b950c840c2a38d0d99a 9d3d199481d627ddbcc19f0117d96cd434708338822064b2bc63a3dddd54c8dc Loading...

	unknown	83 B	2023-04-13	2024-05-19
Pretty Introduced by Function Embedded in HTML false Observations First Seen2023-04-13 16:08:45 Last Seen2024-05-19 17:08:08 Times Seen1768 Hash 62cd50374f9e402baf5a7de635f1b832 8f48044d7fa09ae8d666ab4056e9f7a570dc1774 18de782ff83190db91cd321421564b77ca13c7953ab5831901095354b093c0ac Loading...

	attacker.com/js/global.js?v=1	2.0 kB	2023-03-07	2024-05-15
Pretty URL attacker.com/js/global.js?v=1 IP 45.88.202.115 ASN #48357 K4X OU Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:17:06 Last Seen2024-05-15 22:18:11 Times Seen285 Hash 7b08992307bf75cff71e268fe1bec7b7 6518204f41cec36228d2c19c2d138cf1c4d972ee 24704d232f9937d71f8aec02c4308ed0b1e4fa237e144fc373fd520b6d935076 Loading...

	unknown	82 B	2023-04-13	2024-05-19
Pretty Introduced by Function Embedded in HTML false Observations First Seen2023-04-13 16:08:45 Last Seen2024-05-19 17:08:09 Times Seen1770 Hash 67a24a8bdca5577b37d605ce6e8adfb2 82fa2a206316f4cb674e1f790bf21adc3eea8e88 b6ef6fee73d4f31312a27bc9609dddb02b4511d4f1c5e80ea8a1a896cae11f53 Loading...

HTTP Transactions (28)

URL IP Response Size

www.attacker.com/evil.xls

45.88.202.115

302 Found

0 B

URL User Request GET HTTP/2
www.attacker.com/evil.xls
IP
45.88.202.115:443
ASN
#48357 K4X OU

Certificate
IssuerLet's Encrypt
Subjectwww.attacker.com
FingerprintB4:17:17:94:B3:BC:D5:DB:AA:E1:4E:76:3B:B6:6D:06:B2:AC:8D:ED
ValiditySun, 07 Apr 2024 23:50:13 GMT - Sat, 06 Jul 2024 23:50:12 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /evil.xls HTTP/1.1
Host: www.attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 302 Found
server: nginx
date: Wed, 08 May 2024 14:57:13 GMT
content-type: text/html; charset=UTF-8
content-length: 0
x-powered-by: PHP/7.1.33-51+ubuntu22.04.1+deb.sury.org+1
access-control-allow-origin: http://www.attacker.com
location: https://attacker.com/evil.xls
expires: Wed, 08 May 2024 15:12:13 GMT
cache-control: max-age=900
X-Firefox-Spdy: h2

attacker.com/css/bootstrap-custom.min.css

45.88.202.115

200 OK

5.2 kB

URL GET HTTP/2
attacker.com/css/bootstrap-custom.min.css
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
ASCII text, with very long lines (25011), with no line terminators
Size
5.2 kB (5219 bytes)
Hash
a0dfdea43ec9daffdbcb4a983ae3b37c
0c12475628fc7739fbad4b06d6c05ef56f0c2644
c3b57a79ad7f506aab3ebe6521d7d3c9020f69dea6eb56f43f4afd0edb57cb54

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /css/bootstrap-custom.min.css HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: text/css
content-length: 5219
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "61b3-610cd313cacfe-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

attacker.com/css/parking2.min.css?v=6

45.88.202.115

200 OK

3.6 kB

URL GET HTTP/2
attacker.com/css/parking2.min.css?v=6
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
ASCII text, with very long lines (20636), with no line terminators
Size
3.6 kB (3636 bytes)
Hash
953a5fc295df6ead7ad17cd8018a4cbe
0a93266984d59715aab18dad3c90c8d151dd5b73
e06c04a93ef8fe0e24751ca000492cfb41ff8ef335bf7a24e77b474a8248a4b0

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /css/parking2.min.css?v=6 HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: text/css
content-length: 3636
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "509c-610cd313cacfe-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

attacker.com/js/lab.min.js

45.88.202.115

200 OK

1.7 kB

URL GET HTTP/2
attacker.com/js/lab.min.js
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
JavaScript source, ASCII text, with very long lines (4493), with no line terminators
Size
1.7 kB (1742 bytes)
Hash
5bae8f54eb5be64b131e498e2c233bbc
25aa4807d5d07f1dbd9705866fbe6540ad0fd1d5
565169484eb0f13570db78742dcf091e83129a2a0471ae485aa13a890f378258

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /js/lab.min.js HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: text/javascript
content-length: 1742
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "118d-610cd313d399e-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

attacker.com/js/global.js?v=1

45.88.202.115

200 OK

815 B

URL GET HTTP/2
attacker.com/js/global.js?v=1
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
JavaScript source, ASCII text
Size
815 B (815 bytes)
Hash
7b08992307bf75cff71e268fe1bec7b7
6518204f41cec36228d2c19c2d138cf1c4d972ee
24704d232f9937d71f8aec02c4308ed0b1e4fa237e144fc373fd520b6d935076

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /js/global.js?v=1 HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: text/javascript
content-length: 815
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "7bb-610cd313d1a5e-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

attacker.com/images/epik-domain-names-dark.svg?v=1

45.88.202.115

200 OK

1.7 kB

URL GET HTTP/2
attacker.com/images/epik-domain-names-dark.svg?v=1
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
SVG Scalable Vector Graphics image
Size
1.7 kB (1717 bytes)
Hash
54a79e9ebbd158a93f4c156f64dddf22
7fcd435dbd3d10a4c3fdfe8266767c8511909be0
ba545882b3d3f5283281e96f148b824a413378050d017aa6957f658856f32abe

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /images/epik-domain-names-dark.svg?v=1 HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: image/svg+xml
content-length: 1717
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "df4-610cd313cacfe-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

attacker.com/images/parking2/payments/cc.svg

45.88.202.115

200 OK

3.6 kB

URL GET HTTP/2
attacker.com/images/parking2/payments/cc.svg
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
SVG Scalable Vector Graphics image
Size
3.6 kB (3605 bytes)
Hash
b95e6b0f9239493a0002f7b6402b291f
f056c91179ea2f78a3008d167b065a27dec34d31
5a7e3b9b95cbd9c6aab1ff1d97802322e0528aac98556430e80ca53b9720a4ff

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /images/parking2/payments/cc.svg HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: image/svg+xml
content-length: 3605
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "25ec-610cd313d0abe-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

attacker.com/images/parking2/payments/paypal.svg

45.88.202.115

200 OK

3.0 kB

URL GET HTTP/2
attacker.com/images/parking2/payments/paypal.svg
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
SVG Scalable Vector Graphics image
Size
3.0 kB (2984 bytes)
Hash
e63bcdaec263e75aa9670af5124057de
e8c8736067b21039eedb9f76e457a0d97eda7e1a
8f11f3455df73bf6d18b6dd9d3e0d9812300e92ed985621e02a4c0c9121528ed

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /images/parking2/payments/paypal.svg HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: image/svg+xml
content-length: 2984
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "1a65-610cd313d0abe-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

attacker.com/images/parking2/payments/in_store_credit.svg

45.88.202.115

200 OK

4.6 kB

URL GET HTTP/2
attacker.com/images/parking2/payments/in_store_credit.svg
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
SVG Scalable Vector Graphics image
Size
4.6 kB (4567 bytes)
Hash
5a6952d1ab89a0ee0a2bab97097f884b
c72f92fc267c2fe61d1ceb764e23f691e478741c
120204bbbae24282d9fbd493f82f5ce183314bf4a2aec1374c133f8c368bc9b9

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /images/parking2/payments/in_store_credit.svg HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: image/svg+xml
content-length: 4567
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "2f4c-610cd313d0abe-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

attacker.com/images/parking2/payments/ach.svg

45.88.202.115

200 OK

4.1 kB

URL GET HTTP/2
attacker.com/images/parking2/payments/ach.svg
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
SVG Scalable Vector Graphics image
Size
4.1 kB (4088 bytes)
Hash
1aeeeca9efd19cf90482d9a4e4010ac9
e8086fe685ba0d5907aed7e9fb9d6a152f2401d7
efcb8731964b2d071021c8d243ed3b435c88464a717cb395024f6cb84c254773

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /images/parking2/payments/ach.svg HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: image/svg+xml
content-length: 4088
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "26c2-610cd313d0abe-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

attacker.com/js/openpixel.min.js?t=1715212800000

45.88.202.115

200 OK

2.7 kB

URL GET HTTP/2
attacker.com/js/openpixel.min.js?t=1715212800000
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
JavaScript source, ASCII text, with very long lines (7001)
Size
2.7 kB (2706 bytes)
Hash
c3f7401540792da8651fd98ba29d6234
18031b36055b29f303e50b950c840c2a38d0d99a
9d3d199481d627ddbcc19f0117d96cd434708338822064b2bc63a3dddd54c8dc

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /js/openpixel.min.js?t=1715212800000 HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: text/javascript
content-length: 2706
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "1bb0-610cd313d399e-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

cust-api.trustratings.com/api/v1/widget/epik.com?background=white&orientation=horizontal

136.243.10.248

200 OK

1.9 kB

URL GET HTTP/1.1
cust-api.trustratings.com/api/v1/widget/epik.com?background=white&orientation=horizontal
IP
136.243.10.248:443
ASN
#24940 Hetzner Online GmbH

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectcust-api.trustratings.com
FingerprintE2:A6:72:F7:AE:AC:BE:66:F0:13:7E:B7:FF:B2:68:6B:2F:9F:17:8F
ValidityTue, 12 Mar 2024 22:34:59 GMT - Mon, 10 Jun 2024 22:34:58 GMT

File type
HTML document, ASCII text, with very long lines (4449), with CRLF line terminators
Size
1.9 kB (1879 bytes)
Hash
6d0457ca70c797a5e6f5174b562153ed
46a021d1c12b0259f70cb1e3047934770daaa3ef
fc65ffb427ab26e1b2c5019ca86bfaf221d2b0fb71c4b35a34126ec58b72dfe7

HTTP Headers

GET /api/v1/widget/epik.com?background=white&orientation=horizontal HTTP/1.1
Host: cust-api.trustratings.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Wed, 08 May 2024 15:05:35 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
ETag: W/"2c20-RqAh0cErAln3DLHjBHk0dw2qo+8"
Vary: Accept-Encoding
Content-Encoding: gzip

fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTS-muw.woff2

216.58.207.227

200 OK

48 kB

URL GET HTTP/2
fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTS-muw.woff2
IP
216.58.207.227:443
ASN
#15169 GOOGLE

Requested by
https://attacker.com/evil.xls
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
Web Open Font Format (Version 2), TrueType, length 48236, version 1.0
Size
48 kB (48236 bytes)
Hash
015c126a3520c9a8f6a27979d0266e96
2acf956561d44434a6d84204670cf849d3215d5f
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

HTTP Headers

GET /s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTS-muw.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://attacker.com
DNT: 1
Connection: keep-alive
Referer: https://fonts.googleapis.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ranges: bytes
access-control-allow-origin: *
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin; report-to="apps-themes"
report-to: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
timing-allow-origin: *
content-length: 48236
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Thu, 02 May 2024 02:35:00 GMT
expires: Fri, 02 May 2025 02:35:00 GMT
cache-control: public, max-age=31536000
age: 563435
last-modified: Thu, 14 Dec 2023 02:08:40 GMT
content-type: font/woff2
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTS-muw.woff2

216.58.207.227

200 OK

48 kB

URL GET HTTP/2
fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTS-muw.woff2
IP
216.58.207.227:443
ASN
#15169 GOOGLE

Requested by
https://attacker.com/evil.xls
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
Web Open Font Format (Version 2), TrueType, length 48236, version 1.0
Size
48 kB (48236 bytes)
Hash
015c126a3520c9a8f6a27979d0266e96
2acf956561d44434a6d84204670cf849d3215d5f
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

HTTP Headers

GET /s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTS-muw.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://attacker.com
DNT: 1
Connection: keep-alive
Referer: https://fonts.googleapis.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ranges: bytes
access-control-allow-origin: *
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin; report-to="apps-themes"
report-to: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
timing-allow-origin: *
content-length: 48236
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Thu, 02 May 2024 02:35:00 GMT
expires: Fri, 02 May 2025 02:35:00 GMT
cache-control: public, max-age=31536000
age: 563435
last-modified: Thu, 14 Dec 2023 02:08:40 GMT
content-type: font/woff2
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxK.woff2

216.58.207.227

200 OK

16 kB

URL GET HTTP/2
fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxK.woff2
IP
216.58.207.227:443
ASN
#15169 GOOGLE

Requested by
https://attacker.com/evil.xls
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
Web Open Font Format (Version 2), TrueType, length 15744, version 1.0
Size
16 kB (15744 bytes)
Hash
15d9f621c3bd1599f0169dcf0bd5e63e
7ca9c5967f3bb8bffeab24b639b49c1e7d03fa52
f6734f8177112c0839b961f96d813fcb189d81b60e96c33278c1983b6f419615

HTTP Headers

GET /s/roboto/v30/KFOmCnqEu92Fr1Mu4mxK.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://attacker.com
DNT: 1
Connection: keep-alive
Referer: https://fonts.googleapis.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ranges: bytes
access-control-allow-origin: *
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin; report-to="apps-themes"
report-to: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
timing-allow-origin: *
content-length: 15744
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Sat, 04 May 2024 09:28:37 GMT
expires: Sun, 04 May 2025 09:28:37 GMT
cache-control: public, max-age=31536000
last-modified: Wed, 11 May 2022 19:24:48 GMT
content-type: font/woff2
age: 365818
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmYUtfBBc4.woff2

216.58.207.227

200 OK

16 kB

URL GET HTTP/2
fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmYUtfBBc4.woff2
IP
216.58.207.227:443
ASN
#15169 GOOGLE

Requested by
https://attacker.com/evil.xls
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
Web Open Font Format (Version 2), TrueType, length 15752, version 1.0
Size
16 kB (15752 bytes)
Hash
b20371a6daf29d4a1f2e85dbbf40fb20
0355a01c1ccb45cb728e7e07c41c8ebf456f70bb
7e262106f82cc52663e403f5b73795bbeab9ca0630c33c03579354fbcd4fae1e

HTTP Headers

GET /s/roboto/v30/KFOlCnqEu92Fr1MmYUtfBBc4.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://attacker.com
DNT: 1
Connection: keep-alive
Referer: https://fonts.googleapis.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ranges: bytes
access-control-allow-origin: *
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin; report-to="apps-themes"
report-to: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
timing-allow-origin: *
content-length: 15752
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Thu, 02 May 2024 02:03:54 GMT
expires: Fri, 02 May 2025 02:03:54 GMT
cache-control: public, max-age=31536000
last-modified: Wed, 11 May 2022 19:24:56 GMT
content-type: font/woff2
age: 565301
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxK.woff2

216.58.207.227

200 OK

16 kB

URL GET HTTP/2
fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxK.woff2
IP
216.58.207.227:443
ASN
#15169 GOOGLE

Requested by
https://attacker.com/evil.xls
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
Web Open Font Format (Version 2), TrueType, length 15744, version 1.0
Size
16 kB (15744 bytes)
Hash
15d9f621c3bd1599f0169dcf0bd5e63e
7ca9c5967f3bb8bffeab24b639b49c1e7d03fa52
f6734f8177112c0839b961f96d813fcb189d81b60e96c33278c1983b6f419615

HTTP Headers

GET /s/roboto/v30/KFOmCnqEu92Fr1Mu4mxK.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://cust-api.trustratings.com
DNT: 1
Connection: keep-alive
Referer: https://fonts.googleapis.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
access-control-allow-origin: *
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin; report-to="apps-themes"
report-to: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
timing-allow-origin: *
content-length: 15744
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Sat, 04 May 2024 09:28:37 GMT
expires: Sun, 04 May 2025 09:28:37 GMT
cache-control: public, max-age=31536000
last-modified: Wed, 11 May 2022 19:24:48 GMT
content-type: font/woff2
age: 365819
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

attacker.com/favicon.ico

45.88.202.115

200 OK

371 B

URL GET HTTP/2
attacker.com/favicon.ico
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Size
371 B (371 bytes)
Hash
b1108e0d70db20c8606e1a8016caeb81
e2fc2a3593c7e8378af9a0ac0e709f2f1c09fc56
c5e2b9c7c4a22ec143291554b29883670c6746294588e6a7ef1e7db0565bad8f

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Cookie: __opix_uid=1-cje1vmjz-lvxybpnr
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:15 GMT
content-type: image/vnd.microsoft.icon
content-length: 371
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: "47e-610cd313cacfe-gzip"
vary: Accept-Encoding
content-encoding: gzip
expires: Thu, 23 May 2024 14:57:15 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

pixel.epik.com/pixel.gif?id=parking&uid=1-cje1vmjz-lvxybpnr&ev=pageload&ed=Attacker.com&v=1&dl=https%3A%2F%2Fattacker.com%2Fevil.xls&rl=&ts=1715180735555&de=UTF-8&sr=1280x1024&vp=1280x1024&cd=24&dt=Attacker%20-%20The%20Domain%20Name%20Attacker.com%20is%20Now%20For%20Sale.&bn=Firefox%2096&md=false&ua=Mozilla%2F5.0%20(X11%3B%20Linux%20x86_64%3B%20rv%3A96.0)%20Gecko%2F20100101%20Firefox%2F96.0&tz=0&utm_source=&utm_medium=&utm_term=&utm_content=&utm_campaign=

102.223.180.96

200 OK

42 B

URL POST HTTP/1.1
pixel.epik.com/pixel.gif?id=parking&uid=1-cje1vmjz-lvxybpnr&ev=pageload&ed=Attacker.com&v=1&dl=https%3A%2F%2Fattacker.com%2Fevil.xls&rl=&ts=1715180735555&de=UTF-8&sr=1280x1024&vp=1280x1024&cd=24&dt=Attacker%20-%20The%20Domain%20Name%20Attacker.com%20is%20Now%20For%20Sale.&bn=Firefox%2096&md=false&ua=Mozilla%2F5.0%20(X11%3B%20Linux%20x86_64%3B%20rv%3A96.0)%20Gecko%2F20100101%20Firefox%2F96.0&tz=0&utm_source=&utm_medium=&utm_term=&utm_content=&utm_campaign=
IP
102.223.180.96:443
ASN
#56655 TerraHost AS

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectpixel.epik.com
FingerprintAC:FD:60:A1:FC:E1:70:0C:42:4C:C9:30:62:D3:4A:B9:D2:C0:ED:6F
ValiditySat, 04 May 2024 06:04:05 GMT - Fri, 02 Aug 2024 06:04:04 GMT

File type
GIF image data, version 89a, 1 x 1
Size
42 B (42 bytes)
Hash
d89746888da2d9510b64a9f031eaecd5
d5fceb6532643d0d84ffe09c40c481ecdf59e15a
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

HTTP Headers

POST /pixel.gif?id=parking&uid=1-cje1vmjz-lvxybpnr&ev=pageload&ed=Attacker.com&v=1&dl=https%3A%2F%2Fattacker.com%2Fevil.xls&rl=&ts=1715180735555&de=UTF-8&sr=1280x1024&vp=1280x1024&cd=24&dt=Attacker%20-%20The%20Domain%20Name%20Attacker.com%20is%20Now%20For%20Sale.&bn=Firefox%2096&md=false&ua=Mozilla%2F5.0%20(X11%3B%20Linux%20x86_64%3B%20rv%3A96.0)%20Gecko%2F20100101%20Firefox%2F96.0&tz=0&utm_source=&utm_medium=&utm_term=&utm_content=&utm_campaign= HTTP/1.1
Host: pixel.epik.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: https://attacker.com
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Content-Length: 0

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 08 May 2024 15:05:36 GMT
Content-Type: image/gif
Content-Length: 42
Last-Modified: Mon, 09 Jan 2023 14:22:48 GMT
Connection: keep-alive
ETag: "63bc2338-2a"
Expires: Wed, 08 May 2024 16:05:36 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

ekr.zdassets.com/compose/1546ebb5-45e1-49c4-94dc-4b5d44a6d66c

104.18.70.113

200 OK

289 kB

URL GET HTTP/2
ekr.zdassets.com/compose/1546ebb5-45e1-49c4-94dc-4b5d44a6d66c
IP
104.18.70.113:443
ASN
#13335 CLOUDFLARENET

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectzdassets.com
Fingerprint91:4E:55:88:20:64:B8:AA:0E:42:DA:60:4E:C8:0C:21:93:4F:B1:F7
ValidityWed, 01 May 2024 21:55:19 GMT - Tue, 30 Jul 2024 21:55:18 GMT

File type
JSON text data
Size
289 kB (288575 bytes)
Hash
589f61ada897ba3102cef9e997dd02f5
7d912851583948bf77ff3181f6e228de1feb06e5
4697702c5b0d7253e9f75e937cbe3153b515725997b6c21c0d0c1dc72da9917b

HTTP Headers

GET /compose/1546ebb5-45e1-49c4-94dc-4b5d44a6d66c HTTP/1.1
Host: ekr.zdassets.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://attacker.com/
Origin: https://attacker.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Wed, 08 May 2024 15:05:36 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: *
access-control-allow-methods: GET, POST, OPTIONS
access-control-expose-headers: 
access-control-max-age: 7200
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
cdn-cache-control: max-age=60
vary: Accept, Origin, Accept-Encoding
cache-control: max-age=300, public, stale-while-revalidate=300, stale-if-error=21600
etag: W/"4697702c5b0d7253e9f75e937cbe3153"
x-request-id: 8800d3ac5883216e-SEA, 8800d3ac5883216e-SEA
x-runtime: 0.003024
x-zendesk-zorg: yes
cf-cache-status: HIT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0Ed3MNx4breBTvVIbm8Y7yvQGLsVEdU3eAB2iQwv9eqoisi5PMdqzIDT2iMC0m%2FJ58e9RSF%2B7rWZdaMHi8n69e14x59R6S5i7PmqWvCufKEgg%2Fvp%2FwO1qRUlHk0hfZbs1%2FM%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=0
server: cloudflare
cf-ray: 880a594e89a4b4f1-OSL
content-encoding: br
X-Firefox-Spdy: h2

attacker.com/evil.xls

45.88.202.115

200 OK

15 kB

URL User Request GET HTTP/2
attacker.com/evil.xls
IP
45.88.202.115:443
ASN
#48357 K4X OU

Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
HTML document, ASCII text, with very long lines (706)
Size
15 kB (14909 bytes)
Hash
d5c31810761a9d8ab2b068df7f2336fd
77ec3b867447051ccb06641734d85eef42d281a0
95ccf2d920d04afc7714ad59654c60be87abac7e5de0494b5bf7045a33ada3b5

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /evil.xls HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33-51+ubuntu22.04.1+deb.sury.org+1
access-control-allow-origin: http://attacker.com
vary: Accept-Encoding, Accept-Encoding
expires: Wed, 08 May 2024 15:12:14 GMT
cache-control: max-age=900
content-encoding: br
X-Firefox-Spdy: h2

fonts.googleapis.com/css?family=Roboto&display=swap

142.250.74.106

200 OK

2.3 kB

URL GET HTTP/3
fonts.googleapis.com/css?family=Roboto&display=swap
IP
142.250.74.106:443
ASN
#15169 GOOGLE

Requested by
https://cust-api.trustratings.com/api/v1/widget/epik.com?background=white&orientation=horizontal
Certificate
IssuerGoogle Trust Services LLC
Subjectupload.video.google.com
Fingerprint36:49:20:36:0C:4D:DA:55:65:64:23:0F:49:3E:FA:78:87:35:A3:79
ValidityTue, 16 Apr 2024 04:17:12 GMT - Tue, 09 Jul 2024 04:17:11 GMT

File type
ASCII text, with very long lines (2379), with no line terminators
Size
2.3 kB (2316 bytes)
Hash
03278c047a3192f4a25c4644284d910b
61fc733be8553b3e6d9847d43b4bef84b5ae947d
d5e8a5e5b7bfea2764abadded25ab112a034543a2315c942bb9fd3cbe7ece8fb

HTTP Headers

GET /css?family=Roboto&display=swap HTTP/1.1
Host: fonts.googleapis.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://cust-api.trustratings.com/
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/3 200 OK
content-type: text/css; charset=utf-8
access-control-allow-origin: *
timing-allow-origin: *
link: <https://fonts.gstatic.com>; rel=preconnect; crossorigin
strict-transport-security: max-age=31536000
expires: Wed, 08 May 2024 15:05:35 GMT
date: Wed, 08 May 2024 15:05:35 GMT
cache-control: private, max-age=86400
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin-allow-popups
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

static.zdassets.com/web_widget/classic/latest/web-widget-main-2c036c6.js

104.18.70.113

200 OK

992 kB

URL GET HTTP/2
static.zdassets.com/web_widget/classic/latest/web-widget-main-2c036c6.js
IP
104.18.70.113:443
ASN
#13335 CLOUDFLARENET

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectzdassets.com
Fingerprint91:4E:55:88:20:64:B8:AA:0E:42:DA:60:4E:C8:0C:21:93:4F:B1:F7
ValidityWed, 01 May 2024 21:55:19 GMT - Tue, 30 Jul 2024 21:55:18 GMT

File type

Size
992 kB (992059 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /web_widget/classic/latest/web-widget-main-2c036c6.js HTTP/1.1
Host: static.zdassets.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Wed, 08 May 2024 15:05:36 GMT
content-type: application/javascript; charset=utf-8
x-amz-id-2: ltyqeM2OILREP03UZ1QzU1DCVB9elzF22NwNaDYtH681SDZX6eRD6oyku03pbwVWNrNNjLxa5qHE6IyHKptKjc7sGdXFVeZE
x-amz-request-id: ZKNRSEEFHRTFVBXJ
x-amz-replication-status: COMPLETED
last-modified: Wed, 17 Apr 2024 07:17:12 GMT
etag: W/"15ab335ec444bd9db9a9d1c26b109125"
x-amz-server-side-encryption: AES256
cache-control: public, max-age=31536000
expires: Thu, 17 Apr 2025 07:17:10 GMT
x-amz-version-id: VuI7uJuqG4z__PGNj8zuk0hTBRwy1FxP
cf-cache-status: HIT
age: 99895
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j%2FfIp2a9oIvs6Z46lB374%2FnCIJKg09ziZeS9qNwG4ulzbWkgdN5%2FfSTQT7i48ibOF%2FxTnmXodEG0ZaYH4Ih%2BlbDNQQXPEynph65h%2BkP%2FYsE87p8jEj%2BFnXQkHoCQhMLnomZB%2Bc0%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
strict-transport-security: max-age=0
access-control-allow-headers: *
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 0
server: cloudflare
cf-ray: 880a59533a4eb50b-OSL
content-encoding: br
X-Firefox-Spdy: h2

fonts.googleapis.com/css?display=swap&family=Roboto:400,900

142.250.74.106

200 OK

4.7 kB

URL GET HTTP/2
fonts.googleapis.com/css?display=swap&family=Roboto:400,900
IP
142.250.74.106:443
ASN
#15169 GOOGLE

Requested by
https://attacker.com/evil.xls
Certificate
IssuerGoogle Trust Services LLC
Subjectupload.video.google.com
Fingerprint36:49:20:36:0C:4D:DA:55:65:64:23:0F:49:3E:FA:78:87:35:A3:79
ValidityTue, 16 Apr 2024 04:17:12 GMT - Tue, 09 Jul 2024 04:17:11 GMT

File type
ASCII text, with very long lines (4786), with no line terminators
Size
4.7 kB (4660 bytes)
Hash
de9edebde7e4d325045588af23269981
a5e8fe7ae2371a75ade452d3bd1d8a93276f23a3
92ad356cef2291bc6b2fc43a7a33ef04e5b816645e9c337e2b4ba133b757af08

HTTP Headers

GET /css?display=swap&family=Roboto:400,900 HTTP/1.1
Host: fonts.googleapis.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/css; charset=utf-8
access-control-allow-origin: *
timing-allow-origin: *
link: <https://fonts.gstatic.com>; rel=preconnect; crossorigin
strict-transport-security: max-age=31536000
expires: Wed, 08 May 2024 15:05:35 GMT
date: Wed, 08 May 2024 15:05:35 GMT
cache-control: private, max-age=86400
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin-allow-popups
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

attacker.com/images/parking2/bg/a18.jpg

45.88.202.115

200 OK

70 kB

URL GET HTTP/2
attacker.com/images/parking2/bg/a18.jpg
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1440x850, components 3
Size
70 kB (69830 bytes)
Hash
b42d146949ba703bd24eccfb2fd77952
01c50ae233e5c5a54c4e64b0943f5bac2a0671df
d3c707d2faf0b09856b1868a625bb1f6535f9ababa1d041ada9e25ed2909d2a9

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /images/parking2/bg/a18.jpg HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/evil.xls
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: image/jpeg
vary: Accept-Encoding
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: W/"110c6-610cd313ceb7e"
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
content-encoding: gzip
X-Firefox-Spdy: h2

attacker.com/images/opt/css_sprites.png

45.88.202.115

200 OK

15 kB

URL GET HTTP/2
attacker.com/images/opt/css_sprites.png
IP
45.88.202.115:443
ASN
#48357 K4X OU

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectattacker.com
FingerprintF4:E1:14:13:7E:C5:69:5A:42:E3:16:40:10:29:94:45:A1:8D:7D:14
ValidityMon, 08 Apr 2024 03:19:01 GMT - Sun, 07 Jul 2024 03:19:00 GMT

File type
PNG image data, 180 x 150, 8-bit/color RGBA, non-interlaced
Size
15 kB (14784 bytes)
Hash
b0315122446d6025e63cd553c7fe065c
85d8fa7450c94cc70ca28ad07fc31a9b12280199
f9fbc88487b65700e274cd9554e3e270e18b5c0085d75403ca079d4010bbfc29

Detections

Analyzer	Verdict	Alert
PhishTank	phishing	Other
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /images/opt/css_sprites.png HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/css/parking2.min.css?v=6
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: nginx
date: Wed, 08 May 2024 14:57:14 GMT
content-type: image/png
vary: Accept-Encoding
last-modified: Wed, 07 Feb 2024 16:29:00 GMT
etag: W/"39c0-610cd313cdbde"
expires: Thu, 23 May 2024 14:57:14 GMT
cache-control: max-age=1296000
x-upstream-cache: HIT
content-encoding: gzip
X-Firefox-Spdy: h2

static.zdassets.com/ekr/snippet.js?key=1546ebb5-45e1-49c4-94dc-4b5d44a6d66c

104.18.70.113

200 OK

10 kB

URL GET HTTP/2
static.zdassets.com/ekr/snippet.js?key=1546ebb5-45e1-49c4-94dc-4b5d44a6d66c
IP
104.18.70.113:443
ASN
#13335 CLOUDFLARENET

Requested by
https://attacker.com/evil.xls
Certificate
IssuerLet's Encrypt
Subjectzdassets.com
Fingerprint91:4E:55:88:20:64:B8:AA:0E:42:DA:60:4E:C8:0C:21:93:4F:B1:F7
ValidityWed, 01 May 2024 21:55:19 GMT - Tue, 30 Jul 2024 21:55:18 GMT

File type
JavaScript source, ASCII text, with very long lines (10187), with no line terminators
Size
10 kB (10187 bytes)
Hash
c0053b411b753138af468db1bd3b19f3
7c3a187aa58f2b9e5446edb761b3d4d2ba506fe7
ce337ec7dda4b3a741363a2673c7edce5c736f1660e2aa908131ecfd9dd1343f

HTTP Headers

GET /ekr/snippet.js?key=1546ebb5-45e1-49c4-94dc-4b5d44a6d66c HTTP/1.1
Host: static.zdassets.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Wed, 08 May 2024 15:05:35 GMT
content-type: application/javascript
x-amz-id-2: z1V/NuijnK7Md6R8xho26aVzAi5YWZpIy2l2KX04qLLf562XDGukX+pnpGWp4oLzz96OIYLMddM=
x-amz-request-id: 16EJPM9K30XP37FF
x-amz-replication-status: COMPLETED
last-modified: Mon, 15 Jan 2024 02:56:11 GMT
etag: W/"c0053b411b753138af468db1bd3b19f3"
x-amz-server-side-encryption: AES256
cache-control: public, max-age=3600, s-maxage=60
x-amz-version-id: sR7NItkX1i3nKckB5vEat7T2DUmPnRiJ
cf-cache-status: HIT
age: 36
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f8kodkIRFUPJVoZBj6xISB30toElJIur28tJXrT71lGvGhH3pcQxq7VxBEnoVx%2BF3F9M3MItRdg%2FORYvoE3aP16lad26aBiiItMbCQW2wLKPgV87s5kKg5NFhwj54mrPFNaY9xE%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
strict-transport-security: max-age=0
access-control-allow-headers: *
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 0
server: cloudflare
cf-ray: 880a594d8965b50b-OSL
content-encoding: br
X-Firefox-Spdy: h2

fonts.googleapis.com/css?display=swap&family=Open+Sans:400,600

142.250.74.106

200 OK

12 kB

URL GET HTTP/2
fonts.googleapis.com/css?display=swap&family=Open+Sans:400,600
IP
142.250.74.106:443
ASN
#15169 GOOGLE

Requested by
https://attacker.com/evil.xls
Certificate
IssuerGoogle Trust Services LLC
Subjectupload.video.google.com
Fingerprint36:49:20:36:0C:4D:DA:55:65:64:23:0F:49:3E:FA:78:87:35:A3:79
ValidityTue, 16 Apr 2024 04:17:12 GMT - Tue, 09 Jul 2024 04:17:11 GMT

File type
ASCII text, with very long lines (1572)
Size
12 kB (11634 bytes)
Hash
4f81b7ec203efaec023f045ad6b337ef
13681aeec8bf31df45d7ee3b78bf64b47bd06f7c
c0c4dc54f76b3ed86c0ffe83ff98f7d2b0cd8c3de92bca47159b3dd8d948b78a

HTTP Headers

GET /css?display=swap&family=Open+Sans:400,600 HTTP/1.1
Host: fonts.googleapis.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://attacker.com/
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/css; charset=utf-8
access-control-allow-origin: *
timing-allow-origin: *
link: <https://fonts.gstatic.com>; rel=preconnect; crossorigin
strict-transport-security: max-age=31536000
expires: Wed, 08 May 2024 15:05:35 GMT
date: Wed, 08 May 2024 15:05:35 GMT
cache-control: private, max-age=86400
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin-allow-popups
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

Report Overview

Submitted URL

IP

ASN

Submitted

Access

Website Title

Final URL

Tags

urlquery detections

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

JavaScript (14)

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by