Report Overview
Visitedpublic
2026-05-21 20:21:35
Tags
Submit Tags
URL
us04web-zoom-workspace9786677402028402.online
Finishing URL
us04web-zoom-workspace9786677402028402.online/
IP / ASN
185.199.108.153
Title
Launch Meeting - Zoom
Suspicious - Suspicious Javascript code
Detections
urlquery
2
Network Intrusion Detection
3
Threat Detection Systems
2
Host Summary
| Host | Rank | Registered | First Seen | Last Seen | Sent | Received | IP | Fingerprints |
|---|---|---|---|---|---|---|---|---|
api.ipify.org | 8166 | 2014-01-05 | 2014-10-06 | 2026-05-18 | 503 B | 269 B |  104.26.12.205 |  |
static.cloudflareinsights.com | 4073 | 2019-08-30 | 2019-09-24 | 2026-05-17 | 568 B | 34 kB | 104.16.79.73 | |
us04web-zoom-workspace9786677402028402.online 3 alert(s) on this Host | unknown | 2026-05-20 | 2026-05-21 | 2026-05-21 | 2.2 kB | 5.6 MB | 185.199.109.153 |    |
api.telegram.org | 206724 | 2003-12-15 | 2015-06-25 | 2026-05-17 | 1.3 kB | 745 B |  149.154.166.110 |  |
Cloudflare (CDN)
Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.GitHub Pages (PaaS)
GitHub Pages is a static site hosting service.Fastly (CDN)
Fastly is a cloud computing services provider. Fastly's cloud platform provides a content delivery network, Internet security services, load balancing, and video & streaming services.Varnish (Caching)
Varnish is a reverse caching proxy.Cloudflare Browser Insights (Analytics, RUM)
Cloudflare Browser Insights is a tool that measures the performance of websites from the perspective of users.Nginx:1.30.1 (Web servers, Reverse proxies)
Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.Related reports
Network Intrusion Detection Systems
Suricata /w Emerging Threats Pro
| Timestamp | Severity | Source IP | Destination IP | Alert |
|---|---|---|---|---|
| low | Client IP | 104.26.12.205 | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI | |
| low | Client IP | 149.154.166.110 | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) | |
| low | Client IP | 149.154.166.110 | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
Threat Detection Systems
| Detection System | Indicator | Verdict | Alert |
|---|---|---|---|
| YARAhub by abuse.ch | us04web-zoom-workspace9786677402028402.online/ | malware | Detects file containing Telegram Bot API |
| Nextron YARA rules | us04web-zoom-workspace9786677402028402.online/zoomupdate/ZoomInstaller-ClientsSetup.msi | malware | Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable |
File detected
URL
us04web-zoom-workspace9786677402028402.online/zoomupdate/ZoomInstaller-ClientsSetup.msi
IP / ASN
185.199.109.153
File Overview
File TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: ZoomClient Installer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 12.0.5.9, Subject: ZoomClient Installer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Zoom US, Keywords: Installer, Template: Intel;1033, Revision Number: {D95590A6-B25D-4696-8089-4B53D599D1C9}, Create Time/Date: Sat Jul 19 13:02:12 2025, Last Saved Time/Date: Sat Jul 19 13:02:12 2025, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (25.0.54.0), Security: 2
Size5.6 MB (5595136 bytes)
MD527947ff35ead8ef4e9086ef8ad45afdd
SHA1243c0f69e6ae15e33767afcfd3e42fcc0834f214
Detections
| Analyzer | Verdict | Alert |
|---|---|---|
| Public Nextron YARA rules | malware | Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable |
JavaScript (4)
No JavaScripts
HTTP Transactions (8)
| URL | IP | Response | Size |
|---|