Report - ftp.halifax.rwth-aachen.de/tdf/libreoffice/stable/7.6.1/win/x86/LibreOffice_7.6.1_Win_x86_helppack

Report Overview

Visited public
2023-09-19 13:16:02
Tags
URL
ftp.halifax.rwth-aachen.de/tdf/libreoffice/stable/7.6.1/win/x86/LibreOffice_7.6.1_Win_x86_helppack_ar.msi
Finishing URL
about:privatebrowsing
IP / ASN
137.226.34.46
#47610 RWTH Aachen University
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
ftp.halifax.rwth-aachen.de	110816	unknown	2013-09-30 09:09:27	2023-09-16 04:00:58	561 B	3.4 MB	137.226.34.46
ocsp.pca.dfn.de	167484	unknown	2017-01-29 19:42:39	2023-09-19 07:01:45	345 B	2.7 kB	193.174.13.86

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2023-09-19	medium	ftp.halifax.rwth-aachen.de/tdf/libreoffice/stable/7.6.1/win/x86/LibreOffice_7.6.1_Win_x86_helppack_ar.msi	meth_get_eip

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

Files detected

URL
ftp.halifax.rwth-aachen.de/tdf/libreoffice/stable/7.6.1/win/x86/LibreOffice_7.6.1_Win_x86_helppack_ar.msi
IP
137.226.34.46
ASN
#47610 RWTH Aachen University

File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 0, Title: Installation database, Subject: LibreOffice 7.6, Author: The Document Foundation, Keywords: Install,MSI, Comments: LibreOffice, Name of Creating Application: Windows Installer, Security: 0, Template: Intel;1033, Last Saved By: Intel;1025, Revision Number: {1205C277-E0CE-49A5-BB3E-03B42C8814DE}7.6.1.2;{1205C277-E0CE-49A5-BB3E-03B42C8814DE}7.6.1.2;{4B19ECA4-EB7B-420E-A2F3-0D456CA1CA3F}, Number of Pages: 200, Number of Characters: 32\012- OLE 2 Compound Document, v4.62, SecID 0x1, Mini FAT start sector 0x3e, blocksize 4096 : Microsoft Windows Installer Package\012- data
Size
3.4 MB (3391488 bytes)
Hash
eeb40245406305879336af509332889a
554f315b1928f9f1b0b2df6f601f33dd36e9c00c
bb30d896143b2aa5f01d0c095b50a9804d90f50390fa8c3ef374bd7bbe1ee8f1

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	meth_get_eip

JavaScript (0)

HTTP Transactions (2)

URL IP Response Size

ocsp.pca.dfn.de/OCSP-Server/OCSP

193.174.13.86

2.3 kB

URL
ocsp.pca.dfn.de/OCSP-Server/OCSP
IP
193.174.13.86:0
ASN
#680 Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.

File type
data
Size
2.3 kB (2309 bytes)
Hash
97061ee9b5600155a31e4b6a9064f1e3
f22d4507daf4825407975094ff1d23bf953e8ea9
480a5828efd00074fbd636040a5167eaadad7455cfbaa12e7aa9a71689e357af

HTTP Headers

POST /OCSP-Server/OCSP HTTP/1.1
Host: ocsp.pca.dfn.de
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 79
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 200
Date: Tue, 19 Sep 2023 13:15:45 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Tue, 19 Sep 2023 11:08:05 GMT
expires: Tue, 26 Sep 2023 11:08:05 GMT
ETag: f22d4507daf4825407975094ff1d23bf953e8ea9
cache-control: max-age=597139, public, no-transform, must-revalidate
Content-Length: 2309
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ocsp-response

ftp.halifax.rwth-aachen.de/tdf/libreoffice/stable/7.6.1/win/x86/LibreOffice_7.6.1_Win_x86_helppack_ar.msi

137.226.34.46

200 OK

3.4 MB

URL User Request GET HTTP/2
ftp.halifax.rwth-aachen.de/tdf/libreoffice/stable/7.6.1/win/x86/LibreOffice_7.6.1_Win_x86_helppack_ar.msi
IP
137.226.34.46:443
ASN
#47610 RWTH Aachen University

Certificate
IssuerVerein zur Foerderung eines Deutschen Forschungsnetzes e. V.
Subjectftp.halifax.rwth-aachen.de
Fingerprint4F:D8:5B:91:CE:73:02:EE:55:DF:48:4D:26:05:BC:4C:1C:DA:30:40
ValidityWed, 28 Sep 2022 11:13:31 GMT - Sun, 29 Oct 2023 11:13:31 GMT

File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 0, Title: Installation database, Subject: LibreOffice 7.6, Author: The Document Foundation, Keywords: Install,MSI, Comments: LibreOffice, Name of Creating Application: Windows Installer, Security: 0, Template: Intel;1033, Last Saved By: Intel;1025, Revision Number: {1205C277-E0CE-49A5-BB3E-03B42C8814DE}7.6.1.2;{1205C277-E0CE-49A5-BB3E-03B42C8814DE}7.6.1.2;{4B19ECA4-EB7B-420E-A2F3-0D456CA1CA3F}, Number of Pages: 200, Number of Characters: 32\012- OLE 2 Compound Document, v4.62, SecID 0x1, Mini FAT start sector 0x3e, blocksize 4096 : Microsoft Windows Installer Package\012- data
Size
3.4 MB (3391488 bytes)
Hash
eeb40245406305879336af509332889a
554f315b1928f9f1b0b2df6f601f33dd36e9c00c
bb30d896143b2aa5f01d0c095b50a9804d90f50390fa8c3ef374bd7bbe1ee8f1

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	meth_get_eip

HTTP Headers

GET /tdf/libreoffice/stable/7.6.1/win/x86/LibreOffice_7.6.1_Win_x86_helppack_ar.msi HTTP/1.1
Host: ftp.halifax.rwth-aachen.de
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: nginx/1.22.1
date: Tue, 19 Sep 2023 13:15:45 GMT
content-type: application/octet-stream
content-length: 3391488
last-modified: Fri, 08 Sep 2023 00:13:58 GMT
accept-ranges: bytes
X-Firefox-Spdy: h2

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

Files detected

URL

IP

ASN

File type

Size

Hash

Detections

JavaScript (0)

HTTP Transactions (2)

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL User Request GET HTTP/2

IP

ASN

Certificate

File type

Size

Hash

Detections

HTTP Headers