{"report_id":"4f020b02-fa45-480a-988e-9ad1cbcc75bf","version":6,"status":"done","tags":["suspicious"],"date":"2024-06-02T18:29:12Z","url":{"schema":"https","addr":"wdq22.eqd56err3f.workers.dev/","fqdn":"wdq22.eqd56err3f.workers.dev","domain":"eqd56err3f.workers.dev","tld":"workers.dev"},"ip":{"addr":"104.21.83.217","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"https","addr":"wdq22.eqd56err3f.workers.dev/","fqdn":"wdq22.eqd56err3f.workers.dev","domain":"eqd56err3f.workers.dev","tld":"workers.dev"},"title":"One Drive"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T14:35:32Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"wdq22.eqd56err3f.workers.dev","ip":{"addr":"172.67.182.49","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"domain_registered":"2019-02-08","domain_rank":0,"first_seen":"2023-11-17 20:17:50","last_seen":"2024-03-24 01:04:27","alert_count":5,"request_count":2,"received_data":324723,"sent_data":936,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-06-02T18:28:46Z","timestamp":1717352926,"ip_dst":{"addr":"172.67.182.49","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":47942,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Cloudflare workers.dev Domain in TLS SNI","source":"{\"timestamp\":\"2024-06-02T18:28:46.705195+0000\",\"flow_id\":1348472525437473,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.15\",\"src_port\":47942,\"dest_ip\":\"172.67.182.49\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2051768,\"rev\":1,\"signature\":\"ET INFO Observed Cloudflare workers.dev Domain in TLS SNI\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"affected_product\":[\"Any\"],\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2024_03_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"malware_family\":[\"Cloudflare_Workers\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"tag\":[\"Cloudflare_Workers\"],\"updated_at\":[\"2024_03_22\"]}},\"tls\":{\"sni\":\"wdq22.eqd56err3f.workers.dev\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":789,\"bytes_toclient\":5610,\"start\":\"2024-06-02T18:28:46.670241+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-06-02T18:28:46Z","timestamp":1717352926,"ip_dst":{"addr":"172.67.182.49","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":47942,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Cloudflare workers.dev Domain in TLS SNI","source":"{\"timestamp\":\"2024-06-02T18:28:46.705195+0000\",\"flow_id\":1409164708297249,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.15\",\"src_port\":47942,\"dest_ip\":\"172.67.182.49\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2051768,\"rev\":1,\"signature\":\"ET INFO Observed Cloudflare workers.dev Domain in TLS SNI\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"affected_product\":[\"Any\"],\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2024_03_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"malware_family\":[\"Cloudflare_Workers\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"tag\":[\"Cloudflare_Workers\"],\"updated_at\":[\"2024_03_22\"]}},\"tls\":{\"sni\":\"wdq22.eqd56err3f.workers.dev\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":789,\"bytes_toclient\":5610,\"start\":\"2024-06-02T18:28:46.670241+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":[{"sensor_name":"openphish","sensor_type":"url","title":"","description":"OpenPhish","scan_date":"2024-06-02","alert":"Microsoft OneDrive","trigger":"wdq22.eqd56err3f.workers.dev/","verdict":"phishing","severity":"medium","comment":"Microsoft OneDrive","link":"https://openphish.com","meta":null},{"sensor_name":"openphish","sensor_type":"url","title":"","description":"OpenPhish","scan_date":"2024-06-02","alert":"Microsoft OneDrive","trigger":"wdq22.eqd56err3f.workers.dev/","verdict":"phishing","severity":"medium","comment":"Microsoft OneDrive","link":"https://openphish.com/","meta":null}]},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":[{"sensor_name":"phishtank","sensor_type":"url","title":"","description":"PhishTank","scan_date":"2024-02-11","alert":"Adobe","trigger":"wdq22.eqd56err3f.workers.dev/","verdict":"phishing","severity":"medium","comment":"Adobe","link":"http://phishtank.com","meta":null},{"sensor_name":"phishtank","sensor_type":"url","title":"","description":"PhishTank","scan_date":"2024-02-11","alert":"Adobe","trigger":"wdq22.eqd56err3f.workers.dev/favicon.ico","verdict":"phishing","severity":"medium","comment":"Adobe","link":"http://phishtank.com","meta":null}]},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"wdq22.eqd56err3f.workers.dev/","fqdn":"wdq22.eqd56err3f.workers.dev","domain":"eqd56err3f.workers.dev","tld":"workers.dev"},"ip":{"addr":"172.67.182.49","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":true,"md5":"5c7d93d89d30991a973e9c65153df57f","sha1":"e9cdc74c7a694810a0109c820690c885546bbe00","sha256":"695d29d60bd7df0a8202cad0f2fea91008ab2d7724ffc72ae5219d1e6e1d07c1","sha512":"5c7964a9e7a892af83e7013055bbccf75344a67f8987147e1a12d2523a68f934917dad45e5a87acff4f4a29cbe967abc323f1d6f1a736bb9b97e55b3c76b2a23","ssdeep":"1536:kgLxKxqgxetRKrESl5I/I8sXXqkaItIAgxnffjm:i","tlshash":"6c648b79b901f95d7933a8fff9a82fd10014dd8edccc9ac04099592d6be34bb26285c6","size":321994,"data":"","first_seen":"2023-12-29T03:48:18Z","last_seen":"2024-08-20T14:42:06.227469Z","times_seen":5,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":[{"md5":"524436f3a580b3bde203e481b1a40db2","sha1":"2d063b978bcf67de5633eafbc5feb1821a21a59c","sha256":"9b2478cfe9a279ab64257403d743d6e36d3a6b3d6ca07385ef1440022c98dc73","sha512":"b444c4ece0e052a6382d94fae652e87f17c73f1f5c1c607031ceb914c0c577e6da0396b0a1340f77d340621c15a86879a7859200fc5737512b02a5f908d8aba2","ssdeep":"3072:Jcr7SzczEo7EqjSDK/rOxlqqq2FCwgI+V5AIajI92AQ:JCGzGEol+DCO9CwgI+4TjI92AQ","tlshash":"a7a3af708e729c1647c5090625ed37c6ed6c3ba782cc82f911666ee3e1e3da6c9dcc42","size":107319,"data":"","first_seen":"2023-12-29T03:48:18Z","last_seen":"2024-08-20T14:42:06.22828Z","times_seen":5,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]},"http":[{"url":{"schema":"https","addr":"wdq22.eqd56err3f.workers.dev/","fqdn":"wdq22.eqd56err3f.workers.dev","domain":"eqd56err3f.workers.dev","tld":"workers.dev"},"ip":{"addr":"172.67.182.49","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-06-02T18:28:46.678Z","timestamp":1717352926678,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"eqd56err3f.workers.dev","organization":""},"issuer":{"commonName":"GTS CA 1P5","organization":"Google Trust Services LLC"},"validity":{"start":"Tue, 23 Apr 2024 17:31:36 GMT","end":"Mon, 22 Jul 2024 17:31:35 GMT"},"fingerprint":{"sha1":"4C:AB:BC:2D:5D:66:1D:21:2E:3E:74:AF:A6:CE:77:8D:44:83:E0:5D","sha256":"42:C7:55:E2:43:82:1D:3A:30:12:73:08:77:EC:9F:8E:0B:CC:2A:16:76:E6:90:CE:34:1B:9D:8F:5A:85:39:FD"}}},"request":{"raw":"GET / HTTP/1.1\r\nHost: wdq22.eqd56err3f.workers.dev\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Sun, 02 Jun 2024 18:28:46 GMT\r\ncontent-type: text/html; charset=utf-8\r\ncf-ray: 88d9814ffbf5712d-OSL\r\ncf-cache-status: HIT\r\nage: 23243\r\netag: W/\"index.86ca302586.html\"\r\nvary: Accept-Encoding\r\nfeature-policy: none\r\nreferrer-policy: unsafe-url\r\nx-content-type-options: nosniff\r\nx-frame-options: DENY\r\nx-xss-protection: 1; mode=block\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=TsUFHfn9aEEpfmzsJ5gkyBG7fM4OQTymLNimjYYd6qJ8sDP%2BByGCeV0cAU9ShgWd6CV3SDHHMSNEQuriCMX6oDr9t5w9h9KSD66YzcA1lBX6oYwAVClL9KChdC41kaDtt69Gd%2FlWL0k3UGZbVwT%2F\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nserver: cloudflare\r\ncontent-encoding: br\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":322033,"size_decoded":322033,"mime_type":"text/html; charset=utf-8","magic":"HTML document, ASCII text, with very long lines (65505)","md5":"79107896aa23c69d9c29ff9c2cfaac14","sha1":"d018a825576f9f8a9f5b1461c206470fbc794241","sha256":"1ca5b2b31631cd04fdb26e62f6808d3e3f1a2a2290904035a845bcaaa8f6e5f6","sha512":"d3eda31512b5a2b6563f2e4fb0084464ae10e45839bad37aa920358d36dc5ae0add08263001a90318e0700e4a486d5f3abe2587f0e2158d1c66861ff2e7657bf","ssdeep":"1536:tRgLxKxqgxetRKrESl5I/I8sXXqkaItIAgxnffjW:f","tlshash":"63648b79b901f95d7933a8fff9a82fd10014dd8edccc9ac04099592d6be34bb26285c6","first_seen":"2023-12-29T03:48:18Z","last_seen":"2024-08-20T14:42:06.225277Z","times_seen":5,"resource_available":false,"data":null}},"time_used":173,"timings":{"blocked":38,"dns":0,"connect":9,"send":0,"wait":89,"receive":0,"ssl":33},"alerts":{"ids":null,"analyzer":[{"sensor_name":"openphish","sensor_type":"url","title":"","description":"OpenPhish","scan_date":"2024-06-02","alert":"Microsoft OneDrive","trigger":"wdq22.eqd56err3f.workers.dev/","verdict":"phishing","severity":"medium","comment":"Microsoft OneDrive","link":"https://openphish.com","meta":null},{"sensor_name":"phishtank","sensor_type":"url","title":"","description":"PhishTank","scan_date":"2024-02-11","alert":"Adobe","trigger":"wdq22.eqd56err3f.workers.dev/","verdict":"phishing","severity":"medium","comment":"Adobe","link":"http://phishtank.com","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]}},{"url":{"schema":"https","addr":"wdq22.eqd56err3f.workers.dev/favicon.ico","fqdn":"wdq22.eqd56err3f.workers.dev","domain":"eqd56err3f.workers.dev","tld":"workers.dev"},"ip":{"addr":"172.67.182.49","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://wdq22.eqd56err3f.workers.dev/","date":"2024-06-02T18:28:47.145Z","timestamp":1717352927145,"http_version":"HTTP/3","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"eqd56err3f.workers.dev","organization":""},"issuer":{"commonName":"GTS CA 1P5","organization":"Google Trust Services LLC"},"validity":{"start":"Tue, 23 Apr 2024 17:31:36 GMT","end":"Mon, 22 Jul 2024 17:31:35 GMT"},"fingerprint":{"sha1":"4C:AB:BC:2D:5D:66:1D:21:2E:3E:74:AF:A6:CE:77:8D:44:83:E0:5D","sha256":"42:C7:55:E2:43:82:1D:3A:30:12:73:08:77:EC:9F:8E:0B:CC:2A:16:76:E6:90:CE:34:1B:9D:8F:5A:85:39:FD"}}},"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: wdq22.eqd56err3f.workers.dev\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nReferer: https://wdq22.eqd56err3f.workers.dev/\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Sun, 02 Jun 2024 18:28:47 GMT\r\ncontent-type: image/vnd.microsoft.icon\r\ncf-cache-status: MISS\r\netag: W/\"favicon.ff38969f14.ico\"\r\nfeature-policy: none\r\nreferrer-policy: unsafe-url\r\nx-content-type-options: nosniff\r\nx-frame-options: DENY\r\nx-xss-protection: 1; mode=block\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=H4ovTWjIyy9r%2FchR8zK0cQfphqg0ST2uEuwu7IG3FI6WxbJypyXQUqs1%2F3nyNOUPvUEIndtwbDCzMQBCdbBCmQmSF2gj6zogtjuXcNyhe6O1H%2BkvLgYumtmC7n8ZVI7t4xjF46JjwWgBDp35gVUh\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nvary: Accept-Encoding\r\nserver: cloudflare\r\ncf-ray: 88d98152aaf5b51b-OSL\r\ncontent-encoding: br\r\nalt-svc: h3=\":443\"; ma=86400\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":1150,"size_decoded":1150,"mime_type":"image/vnd.microsoft.icon","magic":"MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel","md5":"f6f8f2c43fb6eb89dbd89cc7c1eb0c83","sha1":"b2ceb2c7c2a80a96bb06f242a4fb3228eb66aa2d","sha256":"9ac292655c99c87fe1f621ba8c4084cc12e9873bedbd1ee8302095f94ace42ff","sha512":"2730ec2dc48a70d984ae92a003e67e2addfacf290ce75d27bc78b88bfe602f8745e6cb6446eb6a2f5aec095f328d34b82ea81d113c89afd9f1e8510f3f173664","ssdeep":"","tlshash":"13218640fa9666d9d0a03ff682c70453785a8c33a8ccbf5da910b182a66333759e327c","first_seen":"2023-04-15T18:55:05Z","last_seen":"2026-03-29T08:12:39.271398Z","times_seen":884,"resource_available":false,"data":null}},"time_used":207,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":207,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"openphish","sensor_type":"url","title":"","description":"OpenPhish","scan_date":"2024-06-02","alert":"Microsoft OneDrive","trigger":"wdq22.eqd56err3f.workers.dev/","verdict":"phishing","severity":"medium","comment":"Microsoft OneDrive","link":"https://openphish.com/","meta":null},{"sensor_name":"phishtank","sensor_type":"url","title":"","description":"PhishTank","scan_date":"2024-02-11","alert":"Adobe","trigger":"wdq22.eqd56err3f.workers.dev/favicon.ico","verdict":"phishing","severity":"medium","comment":"Adobe","link":"http://phishtank.com","meta":null}],"urlquery":null}}]}