{"report_id":"95dde39e-6865-4e94-9e67-8ff2db26cd56","version":6,"status":"done","tags":[],"date":"2023-10-02T13:18:53Z","url":{"schema":"http","addr":"fra01.safelinks.protection.outlook.com/?url=https://evilsamples.com/fetch/4dc115b48e0a4d1c5767ccac250d7d8934b2e9be\u0026data=05|01|renaud.hurbain.ext@stet.eu|4364253eb7ef4eca714a08dbbf5e8ebe|2d0c1986ef7b4bbf84283c837471e7ad|0|0|638314185341686101|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|1000|||\u0026sdata=2KH1VAJlRLzCAlk0gRDdiseXNRJMynfAwgnLvtJCyOA=\u0026reserved=0","fqdn":"fra01.safelinks.protection.outlook.com","domain":"fra01.safelinks.protection.outlook.com","tld":"com"},"ip":{"addr":"104.47.24.28","port":0,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"France","country_code":"FR"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T20:59:03Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"fra01.safelinks.protection.outlook.com","ip":{"addr":"104.47.24.28","port":443,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"France","country_code":"FR"},"domain_registered":"1994-08-18","domain_rank":625329,"first_seen":"2019-04-26 08:32:18","last_seen":"2023-10-01 21:18:16","alert_count":0,"request_count":1,"received_data":808,"sent_data":852,"comment":"","tags":null,"fingerprints":null},{"fqdn":"evilsamples.com","ip":{"addr":"199.16.199.102","port":80,"asn":17330,"as":"FIREEYE-AS","country":"United States","country_code":"US"},"domain_registered":"2023-04-04","domain_rank":0,"first_seen":"2023-07-18 18:22:36","last_seen":"2023-09-25 20:39:57","alert_count":1,"request_count":1,"received_data":14160,"sent_data":434,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"f7b2a23ce190150cc014e82f0208b215","sha1":"04daef0b362249036c34f7f8e58bcd4ca191aa23","sha256":"1a974e2ca910cc32f41e8e198d97086da493962eb68caef87d1f0f6c2c4a8d77","sha512":"c6d1bbd25f7d904c16d767f36dc0ce39cc51d60794023f89e34953f999f2cdcea7a128cf56bf03a2f2107bd673bd6f54c227ce3c8e93211d52569bb7fd868dc2","magic":"Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1046\\012- , ASCII text, with CRLF line terminators","size":13631,"url":{"schema":"http","addr":"evilsamples.com/fetch/4dc115b48e0a4d1c5767ccac250d7d8934b2e9be","fqdn":"evilsamples.com","domain":"evilsamples.com","tld":"com"},"ip":{"addr":"199.16.199.102","port":80,"asn":17330,"as":"FIREEYE-AS","country":"United States","country_code":"US"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2023-09-12","alert":"Scan result 1/59","trigger":"1a974e2ca910cc32f41e8e198d97086da493962eb68caef87d1f0f6c2c4a8d77","verdict":"suspicious","severity":"","comment":"suspicious - 1/59","link":"https://www.virustotal.com/gui/file/1a974e2ca910cc32f41e8e198d97086da493962eb68caef87d1f0f6c2c4a8d77","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"fra01.safelinks.protection.outlook.com/?url=https://evilsamples.com/fetch/4dc115b48e0a4d1c5767ccac250d7d8934b2e9be\u0026data=05|01|renaud.hurbain.ext@stet.eu|4364253eb7ef4eca714a08dbbf5e8ebe|2d0c1986ef7b4bbf84283c837471e7ad|0|0|638314185341686101|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|1000|||\u0026sdata=2KH1VAJlRLzCAlk0gRDdiseXNRJMynfAwgnLvtJCyOA=\u0026reserved=0","fqdn":"fra01.safelinks.protection.outlook.com","domain":"fra01.safelinks.protection.outlook.com","tld":"com"},"ip":{"addr":"104.47.24.28","port":443,"asn":8075,"as":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"France","country_code":"FR"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-10-02T13:18:34.986Z","timestamp":1696252714986,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","key_group_name":"P384","signature_name":"RSA-PKCS1-SHA256","protocol":"TLSv1.2","cert":{"subject":{"commonName":"*.safelinks.protection.outlook.com","organization":"Microsoft Corporation"},"issuer":{"commonName":"DigiCert Cloud Services CA-1","organization":"DigiCert Inc"},"validity":{"start":"Mon, 08 May 2023 00:00:00 GMT","end":"Tue, 07 May 2024 23:59:59 GMT"},"fingerprint":{"sha1":"AC:D5:5A:BD:B6:35:63:20:02:15:3D:7B:3F:ED:0E:3F:7F:A6:48:EB","sha256":"2E:19:25:F0:32:93:D7:DC:21:C9:A0:F0:5C:CE:6E:E6:D1:6F:FE:6B:3F:A7:05:62:AD:71:C4:95:0E:F8:B9:3F"}}},"request":{"raw":"GET /?url=https://evilsamples.com/fetch/4dc115b48e0a4d1c5767ccac250d7d8934b2e9be\u0026data=05|01|renaud.hurbain.ext@stet.eu|4364253eb7ef4eca714a08dbbf5e8ebe|2d0c1986ef7b4bbf84283c837471e7ad|0|0|638314185341686101|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|1000|||\u0026sdata=2KH1VAJlRLzCAlk0gRDdiseXNRJMynfAwgnLvtJCyOA=\u0026reserved=0 HTTP/1.1\r\nHost: fra01.safelinks.protection.outlook.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Found\r\nCache-Control: private\r\nContent-Type: text/html; charset=utf-8\r\nLocation: https://evilsamples.com/fetch/4dc115b48e0a4d1c5767ccac250d7d8934b2e9be\r\nServer: Microsoft-IIS/10.0\r\nX-AspNetMvc-Version: 4.0\r\nX-SL-GetUrlReputation-Verdict: Good\r\nX-Robots-Tag: noindex, nofollow\r\nX-AspNet-Version: 4.0.30319\r\nX-ServerName: PR2FRA01WS078\r\nX-ServerVersion: 15.20.6863.022\r\nX-ServerLat: 326\r\nX-SafeLinks-Tracking-Id: 241d7c5a-56ac-477a-9db0-08dbc34a14ce\r\nX-Powered-By: ASP.NET\r\nX-Content-Type-Options: nosniff\r\nX-UA-Compatible: IE=Edge\r\nDate: Mon, 02 Oct 2023 13:18:34 GMT\r\nConnection: close\r\nContent-Length: 187\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":187,"size_decoded":0,"mime_type":"","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document, ASCII text, with CRLF line terminators","md5":"181860ba7db71cdee200ea10c01f12b1","sha1":"d83d5ff290fec0d25cd30cddcf19cd222df5fcec","sha256":"114375082999d1fb636867ad1745a67dd93fc092087699a02297153be9d1127d","sha512":"c3f11729ef049d48ea4d5bda081d0561d42214d7b8387694dc33bc55828c5fd2a28d8947c5384e355e351084bcefe49ee4a38ba1b5854d679eb589b5f4753679","ssdeep":"","tlshash":"50c022b2400cad0599a2b8fa88c47071e58912aa1a90e1620eeea88b9004235d802287","first_seen":"2023-10-02T15:18:55Z","last_seen":"2023-10-02T15:18:55Z","times_seen":1,"resource_available":false,"data":null}},"time_used":585,"timings":{"blocked":111,"dns":1,"connect":33,"send":0,"wait":360,"receive":1,"ssl":76},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"evilsamples.com/fetch/4dc115b48e0a4d1c5767ccac250d7d8934b2e9be","fqdn":"evilsamples.com","domain":"evilsamples.com","tld":"com"},"ip":{"addr":"199.16.199.102","port":80,"asn":17330,"as":"FIREEYE-AS","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-10-02T13:18:36.427Z","timestamp":1696252716427,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /fetch/4dc115b48e0a4d1c5767ccac250d7d8934b2e9be HTTP/1.1\r\nHost: evilsamples.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Mon, 02 Oct 2023 13:18:36 GMT\r\nContent-Type: text/rtf;charset=utf-8\r\nContent-Disposition: attachment; filename=\"f7b2a23ce190150cc014e82f0208b215.rtf\"\r\nLast-Modified: Wed, 13 Sep 2023 15:01:08 GMT\r\nContent-Length: 13631\r\nX-Content-Type-Options: nosniff\r\nSet-Cookie: rack.session=vhfVlMJ110rugXVaNkhSM4El39XJTQRGrZxoYBv6ho2iglwawzPIsI1sgvtWnDp913YZY8kdUISpfCpb1szy9aO55MRn%2B9O%2BaD5LOCZvg5E%3D; path=/; expires=Mon, 02 Oct 2023 17:18:36 -0000; HttpOnly\r\nVia: 1.1 illuminator.fireeye.com\r\nConnection: close\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":13631,"size_decoded":0,"mime_type":"text/rtf; charset=utf-8","magic":"Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1046\\012- , ASCII text, with CRLF line terminators","md5":"f7b2a23ce190150cc014e82f0208b215","sha1":"04daef0b362249036c34f7f8e58bcd4ca191aa23","sha256":"1a974e2ca910cc32f41e8e198d97086da493962eb68caef87d1f0f6c2c4a8d77","sha512":"c6d1bbd25f7d904c16d767f36dc0ce39cc51d60794023f89e34953f999f2cdcea7a128cf56bf03a2f2107bd673bd6f54c227ce3c8e93211d52569bb7fd868dc2","ssdeep":"384:Z11djUSa4tsckVckxFdzIZV1mHckRFdzciY/YdBdidMd319yl:Z11djza4tscWckxFdzRckRFdz1rMGt1M","tlshash":"8f52a6b9ccc91ceec96f4548389fb45343e1bbd3d5d9e4a1b3eed1848a60b64364281a","first_seen":"2023-10-02T15:18:55Z","last_seen":"2023-10-02T15:18:55Z","times_seen":1,"resource_available":false,"data":null}},"time_used":355,"timings":{"blocked":94,"dns":1,"connect":110,"send":0,"wait":149,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2023-09-12","alert":"Scan result 1/59","trigger":"1a974e2ca910cc32f41e8e198d97086da493962eb68caef87d1f0f6c2c4a8d77","verdict":"suspicious","severity":"","comment":"suspicious - 1/59","link":"https://www.virustotal.com/gui/file/1a974e2ca910cc32f41e8e198d97086da493962eb68caef87d1f0f6c2c4a8d77","meta":null}],"urlquery":null}}]}