Source: http://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
Avira URL Cloud: detection malicious, Label: phishing |
Source: http://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/style.css |
Avira URL Cloud: Label: phishing |
Source: worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev |
Virustotal: Detection: 16% |
Perma Link |
Source: http://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
Virustotal: Detection: 17% |
Perma Link |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
LLM: Score: 9 brands: Microsoft OneNote Reasons: The URL 'https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico' is highly suspicious as it does not match the legitimate domain for Microsoft OneNote, which would typically be something like 'onenote.com' or 'microsoft.com'. The use of multiple login options for different services (Office365, Outlook, Rackspace, AOL, Yahoo, Other Mail) is a common social engineering technique used in phishing attacks to capture credentials. The presence of a login form without a captcha further increases the risk. The overall design mimics a legitimate OneNote page, but the domain and login prompts are highly indicative of phishing. DOM: 0.0.pages.csv |
Source: Yara match |
File source: 0.0.pages.csv, type: HTML |
Source: Yara match |
File source: dropped/chromecache_106, type: DROPPED |
Source: Yara match |
File source: dropped/chromecache_107, type: DROPPED |
Source: Yara match |
File source: dropped/chromecache_111, type: DROPPED |
Source: Yara match |
File source: 0.0.pages.csv, type: HTML |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
LLM: Score: 10 Reasons: The JavaScript code captures user email, password, and IP address, and sends this information to a Telegram bot. This behavior is indicative of phishing or credential theft. DOM: 0.0.pages.csv |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
Matcher: Found strong image similarity, combo hit |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
HTTP Parser: Number of links: 0 |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
HTTP Parser: Total embedded image size: 135508 |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
HTTP Parser: Title: Document does not match URL |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
HTTP Parser: <input type="password" .../> found |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
HTTP Parser: No favicon |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
HTTP Parser: No <meta name="author".. found |
Source: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico |
HTTP Parser: No <meta name="copyright".. found |
Source: unknown |
HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.4:49744 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:52528 version: TLS 1.2 |
Source: global traffic |
TCP traffic: 192.168.2.4:52523 -> 1.1.1.1:53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.19.104.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.221.240 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.221.240 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.221.240 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.221.240 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.devConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /style.css HTTP/1.1Host: worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.icoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /?format=jsonp&callback=getIP HTTP/1.1Host: api.ipify.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /png/full/112-1129773_onenote-is-part-of-the-office-365-package-and-you-will-one.png HTTP/1.1Host: www.clipartmax.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.icoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /png/full/112-1129773_onenote-is-part-of-the-office-365-package-and-you-will-one.png HTTP/1.1Host: www.clipartmax.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.devConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com |
Source: global traffic |
DNS traffic detected: DNS query: worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev |
Source: global traffic |
DNS traffic detected: DNS query: api.ipify.org |
Source: global traffic |
DNS traffic detected: DNS query: www.clipartmax.com |
Source: global traffic |
DNS traffic detected: DNS query: www.google.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49744 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 52538 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49675 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 52528 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 52529 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49744 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 52528 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 52529 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 52538 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49735 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49735 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: unknown |
HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.4:49744 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:52528 version: TLS 1.2 |
Source: classification engine |
Classification label: mal100.phis.win@22/12@14/8 |
Source: unknown |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2228,i,9884631370829521986,13767480250035902459,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
|
Source: unknown |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.ico" |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2228,i,9884631370829521986,13767480250035902459,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |