{"report_id":"467d67c9-ff7e-486c-81f8-031c878ab545","version":6,"status":"done","tags":[],"date":"2025-11-19T07:33:09Z","url":{"schema":"http","addr":"kannn.me/tRSgCs","fqdn":"kannn.me","domain":"kannn.me","tld":"me"},"ip":{"addr":"104.21.45.204","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing","dom":{"size":3632,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text","md5":"d0e020ce155c9011fe0662bdbe534095","sha1":"a4915872657d8da19183c96334842910f6eb4988","sha256":"08bab4c2fb6a530bb574c46455acac529659c66537481025c6707674d0f9a2d6","sha512":"9316c83e813de00108b1937f10d8f28131001d5b79cb345ec4745eb38278c13a7a085215c91d3d8c509c50ea3c321a6a24fb172db1a22c03399be22b82133106","ssdeep":"","tlshash":"fe7135a514f1552718a383a5e9817f1bdf826a07cf8d6a407b9e00f22f97d59887f20d","dom_hash":"domhash03f850468cad29251ed949292c202f85","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"http","addr":"kannn.me/tRSgCs","fqdn":"kannn.me","domain":"kannn.me","tld":"me"},"ip":{"addr":"104.21.45.204","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"tags":null,"meta":null,"user":{"country_code":"zz"}},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-12-24T07:33:09Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":1,"urlquery":0,"analyzer":2}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-11-19T07:32:47Z","timestamp":1763537567,"ip_dst":{"addr":"192.3.211.118","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.3","port":55546,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Dotted Quad Host DOC Request","source":"{\"timestamp\":\"2025-11-19T07:32:47.852993+0000\",\"flow_id\":220812634208514,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":55546,\"dest_ip\":\"192.3.211.118\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.doc.download\",\"http.dottedquadhost.doc\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2027251,\"rev\":5,\"signature\":\"ET INFO Dotted Quad Host DOC Request\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2019_04_23\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_11_21\"]}},\"http\":{\"hostname\":\"192.3.211.118\",\"url\":\"/214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/msword\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":763,\"bytes_toclient\":7644,\"start\":\"2025-11-19T07:32:47.637186+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-11-19","alert":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","trigger":"192.3.211.118/214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"ditekSHen","date":"2022-10-20","description":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","hash1":"43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2","hash2":"a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1","reference":"https://github.com/ditekshen/detection","rule":"SUSP_INDICATOR_RTF_MalVer_Objects","score":"65"}},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2025-11-19","alert":"Sinkholed","trigger":"kannn.me","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":null},"summary":[{"fqdn":"kannn.me","ip":{"addr":"104.21.45.204","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2025-02-14","domain_rank":0,"first_seen":"2025-11-19T07:33:09.570553Z","last_seen":"2025-11-19T07:33:09.570553Z","alert_count":1,"request_count":1,"received_data":51668,"sent_data":483,"comment":"","tags":null,"fingerprints":[{"name":"Phusion Passenger","description":"Phusion Passenger is a free web server and application server with support for Ruby, Python and Node.js.","website":"https://phusionpassenger.com","common_platform_enumeration":"cpe:2.3:a:phusionpassenger:phusion_passenger:*:*:*:*:*:*:*:*","icon":"Phusion Passenger.png","categories":["Web servers"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}]},{"fqdn":"192.3.211.118","ip":{"addr":"192.3.211.118","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":3,"request_count":1,"received_data":50898,"sent_data":491,"comment":"","tags":null,"fingerprints":[{"name":"OpenSSL:1.1.1t","description":"OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end.","website":"https://openssl.org","common_platform_enumeration":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","icon":"OpenSSL.png","categories":["Web server extensions"]},{"name":"Windows Server","description":"Windows Server is a brand name for a group of server operating systems.","website":"https://microsoft.com/windowsserver","common_platform_enumeration":"","icon":"WindowsServer.png","categories":["Operating systems"]},{"name":"PHP:8.0.28","description":"PHP is a general-purpose scripting language used for web development.","website":"https://php.net","common_platform_enumeration":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","icon":"PHP.svg","categories":["Programming languages"]},{"name":"Apache HTTP Server:2.4.56","description":"Apache is a free and open-source cross-platform web server software.","website":"https://httpd.apache.org/","common_platform_enumeration":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","icon":"Apache.svg","categories":["Web servers"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"1b457da3296da8c00ffd4f0e8227b11b","sha1":"9d7ab5c0fdd5780abe737fe79c44f6c05bbe7c29","sha256":"49df4b8df5a2467f8b679fe5949b291a87a8e01f71b80cb4997bfc8cd5b4bdd0","sha512":"a02f2f43a764178403c437d533d98920d21093af69d40aeff5a854d4d2617e4b3ba9b4039790f883a7c3fd4d8d44390c9960899ed4a3e1f939ebc16d64f7b810","magic":"Rich Text Format data, version 1","size":50576,"url":{"schema":"http","addr":"192.3.211.118/214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC","fqdn":"192.3.211.118","domain":"192.3.211.118","tld":""},"ip":{"addr":"192.3.211.118","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-11-19","alert":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","trigger":"192.3.211.118/214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"ditekSHen","date":"2022-10-20","description":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","hash1":"43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2","hash2":"a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1","reference":"https://github.com/ditekshen/detection","rule":"SUSP_INDICATOR_RTF_MalVer_Objects","score":"65"}},{"sensor_name":"virustotal","sensor_type":"file","title":"VirusTotal","description":"VirusTotal","scan_date":"2025-11-19","alert":"Scan result 31/55","trigger":"49df4b8df5a2467f8b679fe5949b291a87a8e01f71b80cb4997bfc8cd5b4bdd0","verdict":"malicious","severity":"","comment":"malicious - 31/55","link":"https://www.virustotal.com/gui/file/49df4b8df5a2467f8b679fe5949b291a87a8e01f71b80cb4997bfc8cd5b4bdd0","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-11-19T07:32:47Z","timestamp":1763537567,"ip_dst":{"addr":"192.3.211.118","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.3","port":55546,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Dotted Quad Host DOC Request","source":"{\"timestamp\":\"2025-11-19T07:32:47.852993+0000\",\"flow_id\":220812634208514,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":55546,\"dest_ip\":\"192.3.211.118\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.doc.download\",\"http.dottedquadhost.doc\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2027251,\"rev\":5,\"signature\":\"ET INFO Dotted Quad Host DOC Request\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2019_04_23\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_11_21\"]}},\"http\":{\"hostname\":\"192.3.211.118\",\"url\":\"/214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/msword\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":763,\"bytes_toclient\":7644,\"start\":\"2025-11-19T07:32:47.637186+0000\"}}"}]}],"analyzer":null,"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"kannn.me/tRSgCs","fqdn":"kannn.me","domain":"kannn.me","tld":"me"},"ip":{"addr":"104.21.45.204","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-11-19T07:32:47.218Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"kannn.me","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Tue, 21 Oct 2025 09:35:49 GMT","end":"Mon, 19 Jan 2026 10:33:30 GMT"},"fingerprint":{"sha1":"9D:44:CD:2D:A8:BF:2F:F5:B5:BA:81:13:63:7B:D8:CC:C7:68:04:F2","sha256":"7A:52:38:4F:88:9A:C5:FC:B8:5B:B8:38:89:C1:F8:28:6E:62:62:66:32:94:B1:0E:71:48:A3:8E:90:17:A8:B2"}}},"request":{"raw":"GET /tRSgCs HTTP/1.1\r\nHost: kannn.me\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 302 Found\r\ndate: Wed, 19 Nov 2025 07:32:47 GMT\r\ncontent-type: text/html; charset=utf-8\r\nlocation: http://192.3.211.118/214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC\r\nserver: cloudflare\r\nx-dns-prefetch-control: off\r\norigin-agent-cluster: ?1\r\nstrict-transport-security: max-age=15552000; includeSubDomains\r\nreferrer-policy: no-referrer\r\nvary: Accept\r\nx-permitted-cross-domain-policies: none\r\ncross-origin-opener-policy: same-origin\r\nx-xss-protection: 0\r\ncross-origin-resource-policy: same-origin\r\nx-download-options: noopen\r\nx-frame-options: SAMEORIGIN\r\nx-content-type-options: nosniff\r\nx-powered-by: Phusion Passenger(R)\r\nstatus: 302 Found\r\ncf-cache-status: DYNAMIC\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=%2FCyhO3pe4EVC%2BCHIrs6OZ0c5d04Jc%2F%2FnXJn1Ir61RYItlqpaA8wNGcjfn1udoV9CRzvwxb%2B7z0Z3Xaeri7zYht1nr2rZ4yhu\"}]}\r\ncf-ray: 9a0e040348ca32fa-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":[{"name":"Phusion Passenger","description":"Phusion Passenger is a free web server and application server with support for Ruby, Python and Node.js.","website":"https://phusionpassenger.com","common_platform_enumeration":"cpe:2.3:a:phusionpassenger:phusion_passenger:*:*:*:*:*:*:*:*","icon":"Phusion Passenger.png","categories":["Web servers"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":50576,"size_decoded":0,"mime_type":"application/msword","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-09T15:38:22.40258Z","times_seen":14902800,"resource_available":true,"data":null}},"time_used":437,"timings":{"blocked":26,"dns":3,"connect":1,"send":0,"wait":385,"receive":0,"ssl":19},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2025-11-19","alert":"Sinkholed","trigger":"kannn.me","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"192.3.211.118/214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC","fqdn":"192.3.211.118","domain":"192.3.211.118","tld":""},"ip":{"addr":"192.3.211.118","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-11-19T07:32:47.639Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC HTTP/1.1\r\nHost: 192.3.211.118\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Wed, 19 Nov 2025 07:32:47 GMT\r\nServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28\r\nLast-Modified: Tue, 18 Nov 2025 00:47:19 GMT\r\nETag: \"c590-643d3ce55e448\"\r\nAccept-Ranges: bytes\r\nContent-Length: 50576\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/msword\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"OpenSSL:1.1.1t","description":"OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end.","website":"https://openssl.org","common_platform_enumeration":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","icon":"OpenSSL.png","categories":["Web server extensions"]},{"name":"Windows Server","description":"Windows Server is a brand name for a group of server operating systems.","website":"https://microsoft.com/windowsserver","common_platform_enumeration":"","icon":"WindowsServer.png","categories":["Operating systems"]},{"name":"PHP:8.0.28","description":"PHP is a general-purpose scripting language used for web development.","website":"https://php.net","common_platform_enumeration":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","icon":"PHP.svg","categories":["Programming languages"]},{"name":"Apache HTTP Server:2.4.56","description":"Apache is a free and open-source cross-platform web server software.","website":"https://httpd.apache.org/","common_platform_enumeration":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","icon":"Apache.svg","categories":["Web servers"]}],"data":{"size":50576,"size_decoded":0,"mime_type":"application/msword","magic":"Rich Text Format data, version 1","md5":"1b457da3296da8c00ffd4f0e8227b11b","sha1":"9d7ab5c0fdd5780abe737fe79c44f6c05bbe7c29","sha256":"49df4b8df5a2467f8b679fe5949b291a87a8e01f71b80cb4997bfc8cd5b4bdd0","sha512":"a02f2f43a764178403c437d533d98920d21093af69d40aeff5a854d4d2617e4b3ba9b4039790f883a7c3fd4d8d44390c9960899ed4a3e1f939ebc16d64f7b810","ssdeep":"384:UwEjFrF4JgpokL6nQDO8LlhSvWQtEAfD6IxdGgAmme0RbtaUJG9:uz1okm4DLrqWQtEAb6YGPmV0Rro","tlshash":"5a33e059d78f44a5cf95a33723264a090afdb33eb20116b6382c87713bed83d59a45bc","first_seen":"2025-11-19T07:33:13.835744Z","last_seen":"2025-11-19T07:33:13.835744Z","times_seen":1,"resource_available":false,"data":null}},"time_used":539,"timings":{"blocked":106,"dns":0,"connect":107,"send":0,"wait":109,"receive":217,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-11-19T07:32:47Z","timestamp":1763537567,"ip_dst":{"addr":"192.3.211.118","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.3","port":55546,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Dotted Quad Host DOC Request","source":"{\"timestamp\":\"2025-11-19T07:32:47.852993+0000\",\"flow_id\":220812634208514,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":55546,\"dest_ip\":\"192.3.211.118\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.doc.download\",\"http.dottedquadhost.doc\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2027251,\"rev\":5,\"signature\":\"ET INFO Dotted Quad Host DOC Request\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2019_04_23\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_11_21\"]}},\"http\":{\"hostname\":\"192.3.211.118\",\"url\":\"/214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/msword\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":763,\"bytes_toclient\":7644,\"start\":\"2025-11-19T07:32:47.637186+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-11-19","alert":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","trigger":"192.3.211.118/214/sdss090ds9f/sdf989923998gfd8g98xcv9x8c9v9s9f89dsf9a08098fa90d8f908sdf898sdf898d9f89df.doC","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"ditekSHen","date":"2022-10-20","description":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","hash1":"43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2","hash2":"a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1","reference":"https://github.com/ditekshen/detection","rule":"SUSP_INDICATOR_RTF_MalVer_Objects","score":"65"}},{"sensor_name":"virustotal","sensor_type":"file","title":"VirusTotal","description":"VirusTotal","scan_date":"2025-11-19","alert":"Scan result 31/55","trigger":"49df4b8df5a2467f8b679fe5949b291a87a8e01f71b80cb4997bfc8cd5b4bdd0","verdict":"malicious","severity":"","comment":"malicious - 31/55","link":"https://www.virustotal.com/gui/file/49df4b8df5a2467f8b679fe5949b291a87a8e01f71b80cb4997bfc8cd5b4bdd0","meta":null}],"urlquery":null}}]}