{
"Event": {
"analysis": "2",
"date": "2018-07-18",
"extends_uuid": "",
"info": "OVH Phishing",
"publish_timestamp": "1532095390",
"published": true,
"threat_level_id": "3",
"timestamp": "1532095371",
"uuid": "5b4f5308-42c0-434a-a8c5-48ae950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1532095368",
"to_ids": true,
"type": "url",
"uuid": "d64b0aa2-2712-440f-ae2d-405b02afe37f",
"value": "https://xyu7564.phpnet.org/?page0=rafi0t.fr#https://www.ovh.com/fr/cgi-bin/order/renew.cgi"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"name": "ip-port",
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"template_version": "7",
"timestamp": "1531925260",
"uuid": "8a483d15-8731-46eb-802a-4dad004e29ad",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "hostname",
"timestamp": "1532095368",
"to_ids": true,
"type": "hostname",
"uuid": "11d55dd3-0574-492d-b330-2086770d3995",
"value": "xyu7564.phpnet.org"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1532095368",
"to_ids": false,
"type": "ip-dst",
"uuid": "9e69ba41-08f3-43bb-b2b6-5e81162ab394",
"value": "195.144.11.40"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Email object describing an email with meta-information",
"meta-category": "network",
"name": "email",
"template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"template_version": "11",
"timestamp": "1531925264",
"uuid": "f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"referenced_uuid": "d64b0aa2-2712-440f-ae2d-405b02afe37f",
"relationship_type": "contains",
"timestamp": "1531925263",
"uuid": "5b4f530f-027c-464b-bd45-4e94950d210f"
},
{
"comment": "",
"object_uuid": "f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"referenced_uuid": "8a483d15-8731-46eb-802a-4dad004e29ad",
"relationship_type": "contains",
"timestamp": "1531925264",
"uuid": "5b4f5310-55b4-43f6-9dc1-41c4950d210f"
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"data": "UmV0dXJuLVBhdGg6IDxzdXBwb3J0QG92aC5jb20+ClgtT3JpZ2luYWwtVG86IGNvbnRhY3RAcmFmaTB0LmZyCkRlbGl2ZXJlZC1Ubzogc3BhbUByYWZpMHQuZnIKWC1HcmV5bGlzdDogZGVsYXllZCA2MDAgc2Vjb25kcyBieSBwb3N0Z3JleS0xLjM1IGF0IHN0ZXJsaW5nOyBXZWQsIDE4IEp1bCAyMDE4CiAxNjozMzowMiBDRVNUClJlY2VpdmVkOiBmcm9tIHJkbnMwLmFubmFtYWV0LmZyICh1bmtub3duIFs4OS4zOC4xNDguNzVdKQoJYnkgc3RlcmxpbmcuZm9vLmJlIChQb3N0Zml4KSB3aXRoIEVTTVRQUyBpZCAyQ0Q1OTUwMDBDQgoJZm9yIDxjb250YWN0QHJhZmkwdC5mcj47IFdlZCwgMTggSnVsIDIwMTggMTY6MzM6MDIgKzAyMDAgKENFU1QpCkZyb206ICI9P3V0Zi04P0I/YzNWd2NHOXlkRUJ2ZG1ndVkyOXQ/PSIgPHN1cHBvcnRAb3ZoLmNvbT4KVG86IGNvbnRhY3RAcmFmaTB0LmZyClN1YmplY3Q6IFtPVkgtV0VCXSBTdXNwZW5zaW9uIGR1IG5vbSBkZSBkb21haW5lIHJhZmkwdC5mcgpEYXRlOiBXZWQsIDE4IEp1bCAyMDE4IDE0OjA3OjE5ICswMjAwCk1JTUUtVmVyc2lvbjogMS4wCk1lc3NhZ2UtSUQ6IDwxNTMxOTEwNTY2MWQ5MWE1MDg5NjZkY2M1ZjYwMmM3M2I0Zjk3ZmEzOTJfNTQwNDU1QG92aC5jb20+ClJlcGx5LVRvOiBzdXBwb3J0QG92aC5jb20KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9InV0Zi04IgpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBxdW90ZWQtcHJpbnRhYmxlCgo8IURPQ1RZUEUgSFRNTCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwgNC4wIFRyYW5zaXRpb25hbC8vRU4iPgo8SFRNTD48SEVBRD48TUVUQSBodHRwLWVxdWl2PTNEIkNvbnRlbnQtVHlwZSIgY29udGVudD0zRCJ0ZXh0L2h0bWw7IGNoYXJzZXQ9Cj0zRHV0Zi04Ij4KPC9IRUFEPgo8Qk9EWT4KPERJVj48Rk9OVCBzaXplPTNEMiBmYWNlPTNEVGFob21hPlNBUyBPVkggLSA8L0ZPTlQ+PEEKaHJlZj0zRCJodHRwOi8vd3d3Lm92aC5jb20vIj48Rk9OVCBzaXplPTNEMgpmYWNlPTNEVGFob21hPmh0dHA6Ly93d3cub3ZoLmNvbTwvRk9OVD48L0E+PEJSPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+Mj0KIHJ1ZQpLZWxsZXJtYW5uPEJSPkJQIDgwMTU3PEJSPjU5MTAwIFJvdWJhaXg8L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5DaGVyKGUpIENsaWVudChlKSw8L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5Wb3RyZSBub20gZGUgZG9tYWluZSByYWZpMHQuZnIgZXN0PQogYWN0dWVsbGVtZW50CmVucmVnaXN0cj1DMz1BOSBjaGV6IE9WSC48QlI+Tm90cmUgc3lzdD1DMz1BOG1lIGRlIGZhY3R1cmF0aW9uIGEgZD1DMz1BOXRlY3Q9Cj1DMz1BOSBxdWUgY2Ugc2VydmljZQplc3QgZXhwaXI9QzM9QTksIG5vbiByZW5vdXZlbD1DMz1BOS48L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5Wb3RyZSBub20gZGUgZG9tYWluZSByYWZpMHQuZnIgYSBkb25jID1DMz0KPUE5dD1DMz1BOQpzdXNwZW5kdS48L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEJSPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+UG91ciBsZSByPUMzPUE5YWN0aXZlciwgaWwgdm91cyBzdWZmaXQ9CiBkZSB2b3VzCnJlbmRyZSBzdXIgbm90cmUgc2l0ZSwgZXQgZHV0aWxpc2VyIDxCUj5sYSBjb21tYW5kZSBkZSByZW5vdXZlbGxlbWVudCA6CjwvRk9OVD48L0RJVj4KPERJVj4mbmJzcDs8L0RJVj4KPERJVj48QQpocmVmPTNEImh0dHBzOi8veHl1NzU2NC5waHBuZXQub3JnLz9wYWdlMD0KPTNEcmFmaTB0LmZyI2h0dHBzOi8vd3d3Lm92aC5jb20vZnIvY2dpLWJpbi9vcmRlci9yZW5ldy5jZ2kiPjxGT05UCnNpemU9M0QyIGZhY2U9Cj0zRFRhaG9tYT5odHRwczovL3d3dy5vdmguY29tL2ZyL2NnaS1iaW4vb3JkZXIvcmVuZXcuY2dpPC9GT05UPjwvQT4KPC9ESVY+CjxESVY+PEJSPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+TGUgcj1DMz1BOGdsZW1lbnQgcGV1dCBzZSBmYWlyZSB2aWE9CiBsJ3VuIGRlcyBtb3llbnMKZGUgcGFpZW1lbnQgcHJvcG9zPUMzPUE5cy4gTWFpcyBub3VzIDxCUj5yZWNvbW1hbmRvbnMgZGUgcj1DMz1BOWdsZXIgcGFyPQogQ2FydGUgQmFuY2FpcmUKcG91ciBhY2M9QzM9QTlsPUMzPUE5cmVyIGxlIHRyYWl0ZW1lbnQgZXQgZG9uYyA8QlI+bGEgcj1DMz1BOW91dmVydHVyZSBkZT0KIHZvdHJlCnNlcnZpY2UuPC9GT05UPjwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+TGEgZmFjdHVyZSBhY3F1aXR0PUMzPUE5ZSB2b3VzIHBhcnZpZW5kcmE9CiBwZXUgYXByPUMzPUE4cwp2YWxpZGF0aW9uIGRlIGxhIGNvbW1hbmRlLCBjb25maXJtYW50IDxCUj5sZSByZW5vdXZlbGxlbWVudCBkZSB2b3RyZT0KIHJlZGV2YW5jZQpwb3VyIGxhIHA9QzM9QTlyaW9kZSBjaG9pc2llLjwvRk9OVD48L0RJVj4KPERJVj4mbmJzcDs8L0RJVj4KPERJVj48QlI+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5JTVBPUlRBTlQgOiBFbiBjYXMgZGUgbm9uIHI9QzM9Cj1BOGdsZW1lbnQgc291cyAyNCBILAp2b3RyZSBkb21haW5lIHBvdXJyYWl0ID1DMz1BQXRyZSBERUZJTklUSVZFTUVOVCBlZmZhYz1DMz1BOS48L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5Qb3VyIHRvdXRlIGluZm9ybWF0aW9uIGNvbXBsPUMzPUE5bWVudGFpcmUsPQogbm90cmUKc3VwcG9ydCByZXN0ZSA9QzM9QTAgdm90cmUgZGlzcG9zaXRpb24uPC9GT05UPjwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+TWVyY2kgZGUgdm90cmUgY29tcHI9QzM9Cj1BOWhlbnNpb24uPC9GT05UPjwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+Q29yZGlhbGVtZW50LDwvRk9OVD48L0RJVj4KPERJVj4mbmJzcDs8L0RJVj4KPERJVj48Rk9OVCBzaXplPTNEMiBmYWNlPTNEVGFob21hPlZvdHJlIFNlcnZpY2UgQ2xpZW50IE9WSDxCUj5MdW4gLSBWZW5kIDogOGg9CiAtIDIwaAp8IFNhbWVkaSA6IDloID1DMz1BMCAxN2g8QlI+MTAwNzxCUj5OdW09QzM9QTlybyB1bmlxdWUgZ3JhdHVpdCBkZXB1aXMgdW49CiBwb3N0ZSBmaXhlLCBob3JzCnN1cmNvPUMzPUJCdCA9QzM9QTl2ZW50dWVsIHNlbG9uIG9wPUMzPUE5cmF0ZXVyIGRlcHVpcyB1bmUgbGlnbmUKbW9iaWxlPC9GT05UPjwvRElWPjwvQk9EWT48L0hUTUw+Cgo=",
"deleted": false,
"disable_correlation": true,
"object_relation": "eml",
"timestamp": "1532095368",
"to_ids": false,
"type": "attachment",
"uuid": "6fad44d5-1eb8-4cd4-8c2a-85d411cf50ca",
"value": "Full email.eml"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "email-body",
"timestamp": "1532095368",
"to_ids": false,
"type": "email-body",
"uuid": "c8c233d6-a647-4f41-ad4e-9d2b08af045b",
"value": "\n\n\n\nSAS OVH - http://www.ovh.com
2 rue\nKellermann
BP 80157
59100 Roubaix \n
\n
\n
\n
\nCher(e) Client(e),
\n
\nVotre nom de domaine rafi0t.fr est actuellement\nenregistr\u00c3\u00a9 chez OVH.
Notre syst\u00c3\u00a8me de facturation a d\u00c3\u00a9tect\u00c3\u00a9 que ce service\nest expir\u00c3\u00a9, non renouvel\u00c3\u00a9.
\n
\nVotre nom de domaine rafi0t.fr a donc \u00c3\u00a9t\u00c3\u00a9\nsuspendu.
\n
\n
Pour le r\u00c3\u00a9activer, il vous suffit de vous\nrendre sur notre site, et dutiliser
la commande de renouvellement :\n
\n
\nhttps://www.ovh.com/fr/cgi-bin/order/renew.cgi\n \n
Le r\u00c3\u00a8glement peut se faire via l'un des moyens\nde paiement propos\u00c3\u00a9s. Mais nous
recommandons de r\u00c3\u00a9gler par Carte Bancaire\npour acc\u00c3\u00a9l\u00c3\u00a9rer le traitement et donc
la r\u00c3\u00a9ouverture de votre\nservice.
\n
\nLa facture acquitt\u00c3\u00a9e vous parviendra peu apr\u00c3\u00a8s\nvalidation de la commande, confirmant
le renouvellement de votre redevance\npour la p\u00c3\u00a9riode choisie.
\n
\n
IMPORTANT : En cas de non r\u00c3\u00a8glement sous 24 H,\nvotre domaine pourrait \u00c3\u00aatre DEFINITIVEMENT effac\u00c3\u00a9.
\n
\nPour toute information compl\u00c3\u00a9mentaire, notre\nsupport reste \u00c3\u00a0 votre disposition.
\n
\nMerci de votre compr\u00c3\u00a9hension.
\n
\n
\n
\nCordialement,
\n
\nVotre Service Client OVH
Lun - Vend : 8h - 20h\n| Samedi : 9h \u00c3\u00a0 17h
1007
Num\u00c3\u00a9ro unique gratuit depuis un poste fixe, hors\nsurco\u00c3\u00bbt \u00c3\u00a9ventuel selon op\u00c3\u00a9rateur depuis une ligne\nmobile
"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reply-to",
"timestamp": "1532095368",
"to_ids": false,
"type": "email-reply-to",
"uuid": "51d315b4-595f-43fd-bc43-23c5f155ed88",
"value": "support@ovh.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "message-id",
"timestamp": "1532095368",
"to_ids": false,
"type": "email-message-id",
"uuid": "c0cae490-8619-453a-9ca0-10e1ffa78f30",
"value": "<15319105661d91a508966dcc5f602c73b4f97fa392_540455@ovh.com>"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "to",
"timestamp": "1532095368",
"to_ids": false,
"type": "email-dst",
"uuid": "334cb4ea-384c-43f2-ab65-de6c244bbe55",
"value": "contact@rafi0t.fr"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "subject",
"timestamp": "1532095368",
"to_ids": false,
"type": "email-subject",
"uuid": "faf7eabc-c367-4456-95be-dadbd90b1aa2",
"value": "[OVH-WEB] Suspension du nom de domaine rafi0t.fr"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "from",
"timestamp": "1532095368",
"to_ids": false,
"type": "email-src",
"uuid": "76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
"value": "\"support@ovh.com\" "
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "return-path",
"timestamp": "1532095368",
"to_ids": false,
"type": "email-src",
"uuid": "8ae92ecb-ea5e-4674-9bd7-de2cdc2e05e8",
"value": ""
}
]
}
]
}
}