{"report_id":"8be7977b-44b3-44ca-a5a1-62f17610e61d","version":6,"status":"done","tags":[],"date":"2024-08-01T08:00:13Z","url":{"schema":"http","addr":"192.3.179.145/45/kon/wethinkingentirethingstobegreatwithentirethingstobeamazingwithmeiamalwaysonlinethings__________weneedthingsgreatthing.doc","fqdn":"192.3.179.145","domain":"192.3.179.145","tld":""},"ip":{"addr":"192.3.179.145","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T07:26:28Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"192.3.179.145","ip":{"addr":"192.3.179.145","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"domain_registered":"unknown","domain_rank":0,"first_seen":"2020-01-01 05:20:57","last_seen":"2020-01-01 05:20:57","alert_count":4,"request_count":1,"received_data":102568,"sent_data":512,"comment":"","tags":null,"fingerprints":null},{"fqdn":"r10.o.lencr.org","ip":{"addr":"23.33.119.57","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-06 21:45:11","last_seen":"2024-07-30 18:12:03","alert_count":0,"request_count":6,"received_data":5327,"sent_data":1962,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"98fccb07a0d2a7658b6c42edb5eb1462","sha1":"24960decb2b636b08461ab65e35561944d0f0b02","sha256":"5961a204bb43bb63f2b98836a34afd1e16a6f3cb160fd17b4718b377273255ff","sha512":"d6eee00bb43724075cb5ef1c178d5c53685e439cf38d31a8b9c63092ba46ba181ae1719e9b861fc2fadc50334751a49a8d56b9673c879e923b6552dd581ac1f5","magic":"Rich Text Format data, version 1","size":102247,"url":{"schema":"https","addr":"192.3.179.145/45/kon/wethinkingentirethingstobegreatwithentirethingstobeamazingwithmeiamalwaysonlinethings__________weneedthingsgreatthing.doc","fqdn":"192.3.179.145","domain":"192.3.179.145","tld":"145"},"ip":{"addr":"192.3.179.145","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-08-01","alert":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","trigger":"192.3.179.145/45/kon/wethinkingentirethingstobegreatwithentirethingstobeamazingwithmeiamalwaysonlinethings__________weneedthingsgreatthing.doc","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"ditekSHen","date":"2022-10-20","description":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","hash1":"43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2","hash2":"a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1","reference":"https://github.com/ditekshen/detection","rule":"SUSP_INDICATOR_RTF_MalVer_Objects","score":"65"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-08-01","alert":"Scan result 34/64","trigger":"5961a204bb43bb63f2b98836a34afd1e16a6f3cb160fd17b4718b377273255ff","verdict":"malicious","severity":"","comment":"malicious - 34/64","link":"https://www.virustotal.com/gui/file/5961a204bb43bb63f2b98836a34afd1e16a6f3cb160fd17b4718b377273255ff","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-08-01T07:59:48Z","timestamp":1722499188,"ip_dst":{"addr":"192.3.179.145","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"ip_src":{"addr":"Client IP","port":55146,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Dotted Quad Host DOC Request","source":"{\"timestamp\":\"2024-08-01T07:59:48.639142+0000\",\"flow_id\":776705114668729,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.8\",\"src_port\":55146,\"dest_ip\":\"192.3.179.145\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.doc.download\",\"http.dottedquadhost.doc\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2027251,\"rev\":5,\"signature\":\"ET INFO Dotted Quad Host DOC Request\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2019_04_23\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_11_21\"]}},\"http\":{\"hostname\":\"192.3.179.145\",\"url\":\"/45/kon/wethinkingentirethingstobegreatwithentirethingstobeamazingwithmeiamalwaysonlinethings__________weneedthingsgreatthing.doc\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/msword\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1137},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":2,\"bytes_toserver\":750,\"bytes_toclient\":1580,\"start\":\"2024-08-01T07:59:48.425657+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-08-01","alert":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","trigger":"192.3.179.145/45/kon/wethinkingentirethingstobegreatwithentirethingstobeamazingwithmeiamalwaysonlinethings__________weneedthingsgreatthing.doc","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"ditekSHen","date":"2022-10-20","description":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","hash1":"43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2","hash2":"a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1","reference":"https://github.com/ditekshen/detection","rule":"SUSP_INDICATOR_RTF_MalVer_Objects","score":"65"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-08-01","alert":"Sinkholed","trigger":"192.3.179.145","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.57","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-08-01T07:59:47.498029224Z","timestamp":1722499187498,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"F76A44AC993C568FCDAC2165655A7886F3207E980286B7605A48DC897E4FD68B\"\r\nLast-Modified: Mon, 29 Jul 2024 18:28:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=10952\r\nExpires: Thu, 01 Aug 2024 11:02:19 GMT\r\nDate: Thu, 01 Aug 2024 07:59:47 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"eb8b5a3f62f8ead7f86e028723019196","sha1":"8941f16c283439f44a148ba7668a67a55aba16de","sha256":"f76a44ac993c568fcdac2165655a7886f3207e980286b7605a48dc897e4fd68b","sha512":"7baab1ad34d12a9412e3df7f1ed2f08d1d44312df71c7036a2e7a212634c4d64c5e8e2d80d5b41465e6b754b9b472e56efcaf9f84c64822b1acfc05a71850a9d","ssdeep":"","tlshash":"7df00e5a01ad3b80ba6a1a037da9d61e9d646db4bca042d3258a81d228807fca695279","first_seen":"2024-07-29T23:43:48Z","last_seen":"2024-08-19T15:20:44.126365Z","times_seen":32164,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.57","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-08-01T07:59:47.499722619Z","timestamp":1722499187499,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"61A47554EB6DB3AC87779825845D4D458EFEEB1C1833C7E9AF01E2FD6014E4CB\"\r\nLast-Modified: Mon, 29 Jul 2024 18:27:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=11225\r\nExpires: Thu, 01 Aug 2024 11:06:52 GMT\r\nDate: Thu, 01 Aug 2024 07:59:47 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"1d047e3b166ee35938a43c55f20ee111","sha1":"7880600b5415b4843047ef21d177aed6d4ad053f","sha256":"61a47554eb6db3ac87779825845d4d458efeeb1c1833c7e9af01e2fd6014e4cb","sha512":"182f98099121a5c5648d8b8e2bd3620615f4492268ea403335f839bedafb521930f4e07c36f4d369290342b9eb8d125bc9cd7cf13a18abd0213cd26b4efbf71c","ssdeep":"","tlshash":"34f054fe01543e006a32276695f7e21b3c317e7a34a098c3345103f57012bfc8599a3b","first_seen":"2024-07-30T06:29:58Z","last_seen":"2024-08-19T15:20:44.127078Z","times_seen":16333,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.57","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-08-01T07:59:47.812388671Z","timestamp":1722499187812,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"E9E51DA5ED2854A5EAD2219E70B950CCAC93EFD228BDD965F3A116EE600F390B\"\r\nLast-Modified: Mon, 29 Jul 2024 18:26:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=6176\r\nExpires: Thu, 01 Aug 2024 09:42:43 GMT\r\nDate: Thu, 01 Aug 2024 07:59:47 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"12b3b90abdd8ddc5edfc58288f11925f","sha1":"8093a9a5520def1c87fd60aab5c3636f305224d2","sha256":"e9e51da5ed2854a5ead2219e70b950ccac93efd228bdd965f3a116ee600f390b","sha512":"ef64588e30a845df457929a80bdb26f3f5c404cfe9bfcd21dfe3d7369026827acc6bd7fa73abc2f9befba03b5d542ed72fde6cd66560861d6e99fd31c3bcc584","ssdeep":"","tlshash":"ebf0054605eb7a225777140627eeca5f1d15bcdc784482fd24c006d13d117e25bc204e","first_seen":"2024-07-30T01:27:04Z","last_seen":"2024-08-19T15:19:20.609236Z","times_seen":18717,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.57","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-08-01T07:59:47.99855991Z","timestamp":1722499187998,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"E9D373F8BCB454C3FC0B4E4D3768E5104C7F4CAD03145468F9D2C0FF89C08143\"\r\nLast-Modified: Thu, 01 Aug 2024 06:27:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=16543\r\nExpires: Thu, 01 Aug 2024 12:35:30 GMT\r\nDate: Thu, 01 Aug 2024 07:59:47 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"06f86a556a3bc0d04f36267a3081f07f","sha1":"3ca01a6761c66a9434a2ee060e2cb4b685b0b9f8","sha256":"e9d373f8bcb454c3fc0b4e4d3768e5104c7f4cad03145468f9d2c0ff89c08143","sha512":"5d2afaf30f4b626d830d5404cc82ccea273969bba9a832005a64f12aa15e56eb5b5c85876d82dde52c590ca6f5c0e57e3ff801aab3ed9887a1d0b147413a9b5c","ssdeep":"","tlshash":"75f00e8a20ed7b8555a0ac001e78e21afd396abc3c2025e21e9c05f57421bf26dc404c","first_seen":"2024-08-01T08:37:09Z","last_seen":"2024-08-19T15:04:18.900784Z","times_seen":23373,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"192.3.179.145/45/kon/wethinkingentirethingstobegreatwithentirethingstobeamazingwithmeiamalwaysonlinethings__________weneedthingsgreatthing.doc","fqdn":"192.3.179.145","domain":"192.3.179.145","tld":"145"},"ip":{"addr":"192.3.179.145","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-08-01T07:59:47.976Z","timestamp":1722499187976,"http_version":"","security_state":"broken","security_info":null,"request":{"raw":"GET /45/kon/wethinkingentirethingstobegreatwithentirethingstobeamazingwithmeiamalwaysonlinethings__________weneedthingsgreatthing.doc HTTP/1.1\r\nHost: 192.3.179.145\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Thu, 01 Aug 2024 07:59:47 GMT\r\nServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30\r\nLast-Modified: Tue, 30 Jul 2024 13:22:40 GMT\r\nETag: \"18f67-61e76df3cb199\"\r\nAccept-Ranges: bytes\r\nContent-Length: 102247\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/msword\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":102247,"size_decoded":102247,"mime_type":"","magic":"Rich Text Format data, version 1","md5":"98fccb07a0d2a7658b6c42edb5eb1462","sha1":"24960decb2b636b08461ab65e35561944d0f0b02","sha256":"5961a204bb43bb63f2b98836a34afd1e16a6f3cb160fd17b4718b377273255ff","sha512":"d6eee00bb43724075cb5ef1c178d5c53685e439cf38d31a8b9c63092ba46ba181ae1719e9b861fc2fadc50334751a49a8d56b9673c879e923b6552dd581ac1f5","ssdeep":"384:AOmdYo0tzP7QYAOQug5OkhgCSUSAYWxwUhM+3C6cq4BY+1PT4RlINDjT:ucGO4FOCZRRqN6+Y+1PT4RlGHT","tlshash":"96a3f16d878f48a8cf09a277136a8e0442fcb33eb30555b634ac537037ad93e49a55bc","first_seen":"2024-08-19T15:03:42.039884Z","last_seen":"2024-08-19T15:03:56.24521Z","times_seen":2,"resource_available":false,"data":null}},"time_used":228,"timings":{"blocked":228,"dns":0,"connect":97,"send":0,"wait":0,"receive":0,"ssl":108},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2024-08-01T07:59:48Z","timestamp":1722499188,"ip_dst":{"addr":"192.3.179.145","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"ip_src":{"addr":"172.18.0.8","port":55146,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Dotted Quad Host DOC Request","source":"{\"timestamp\":\"2024-08-01T07:59:48.639142+0000\",\"flow_id\":776705114668729,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.8\",\"src_port\":55146,\"dest_ip\":\"192.3.179.145\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.doc.download\",\"http.dottedquadhost.doc\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2027251,\"rev\":5,\"signature\":\"ET INFO Dotted Quad Host DOC Request\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2019_04_23\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_11_21\"]}},\"http\":{\"hostname\":\"192.3.179.145\",\"url\":\"/45/kon/wethinkingentirethingstobegreatwithentirethingstobeamazingwithmeiamalwaysonlinethings__________weneedthingsgreatthing.doc\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/msword\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1137},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":2,\"bytes_toserver\":750,\"bytes_toclient\":1580,\"start\":\"2024-08-01T07:59:48.425657+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-08-01","alert":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","trigger":"192.3.179.145/45/kon/wethinkingentirethingstobegreatwithentirethingstobeamazingwithmeiamalwaysonlinethings__________weneedthingsgreatthing.doc","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"ditekSHen","date":"2022-10-20","description":"Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.","hash1":"43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2","hash2":"a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1","reference":"https://github.com/ditekshen/detection","rule":"SUSP_INDICATOR_RTF_MalVer_Objects","score":"65"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-08-01","alert":"Sinkholed","trigger":"192.3.179.145","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-08-01","alert":"Scan result 34/64","trigger":"5961a204bb43bb63f2b98836a34afd1e16a6f3cb160fd17b4718b377273255ff","verdict":"malicious","severity":"","comment":"malicious - 34/64","link":"https://www.virustotal.com/gui/file/5961a204bb43bb63f2b98836a34afd1e16a6f3cb160fd17b4718b377273255ff","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-08-01T07:59:49.958016336Z","timestamp":1722499189958,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"00250D516D26EAD1F376D80FEF0C83C59DF998D20C72ED5B96262E40AE3B96A8\"\r\nLast-Modified: Mon, 29 Jul 2024 18:27:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=13736\r\nExpires: Thu, 01 Aug 2024 11:48:45 GMT\r\nDate: Thu, 01 Aug 2024 07:59:49 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"4e65f865b00bcb08c52dfe77a48c1c03","sha1":"26cbc733e53341bd2aab8c860546de10e9839e84","sha256":"00250d516d26ead1f376d80fef0c83c59df998d20c72ed5b96262e40ae3b96a8","sha512":"e69fa26c892a70facce23a7d50a1faaa50bf422a1aa5985ba5b28aae044e631ceb0044cd9f1985163f44dd727cbba30ebb5185c61fbd3d49f37a5989f451289a","ssdeep":"","tlshash":"49f0050e15973fc177fb34072984e21f7d4636f63c4505f1a45485c76451fe50680046","first_seen":"2024-07-30T01:46:56Z","last_seen":"2024-08-19T15:19:13.917399Z","times_seen":19063,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-08-01T07:59:49.958893129Z","timestamp":1722499189958,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"00250D516D26EAD1F376D80FEF0C83C59DF998D20C72ED5B96262E40AE3B96A8\"\r\nLast-Modified: Mon, 29 Jul 2024 18:27:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=13736\r\nExpires: Thu, 01 Aug 2024 11:48:45 GMT\r\nDate: Thu, 01 Aug 2024 07:59:49 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"4e65f865b00bcb08c52dfe77a48c1c03","sha1":"26cbc733e53341bd2aab8c860546de10e9839e84","sha256":"00250d516d26ead1f376d80fef0c83c59df998d20c72ed5b96262e40ae3b96a8","sha512":"e69fa26c892a70facce23a7d50a1faaa50bf422a1aa5985ba5b28aae044e631ceb0044cd9f1985163f44dd727cbba30ebb5185c61fbd3d49f37a5989f451289a","ssdeep":"","tlshash":"49f0050e15973fc177fb34072984e21f7d4636f63c4505f1a45485c76451fe50680046","first_seen":"2024-07-30T01:46:56Z","last_seen":"2024-08-19T15:19:13.917399Z","times_seen":19063,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}