{ "type": "bundle", "id": "bundle--587e787d-c9f8-4132-9673-4d8402de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:54.000Z", "modified": "2017-01-17T20:12:54.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--587e787d-c9f8-4132-9673-4d8402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:54.000Z", "modified": "2017-01-17T20:12:54.000Z", "name": "OSINT - CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL", "published": "2017-01-17T20:13:43Z", "object_refs": [ "x-misp-attribute--587e789e-d278-42a1-aa6a-457e02de0b81", "observed-data--587e78b8-05ac-41d3-88b0-4a4902de0b81", "url--587e78b8-05ac-41d3-88b0-4a4902de0b81", "indicator--587e7a5e-f1e8-4295-b5ce-473102de0b81", "indicator--587e7a5f-6d14-4a0e-a94e-448802de0b81", "indicator--587e7a60-99e8-4a1c-afdc-4cc302de0b81", "indicator--587e7a72-c370-4b7e-853a-41bc02de0b81", "indicator--587e7a72-963c-4a15-8a07-4c6102de0b81", "indicator--587e7a73-7e5c-4fb3-b848-4ce002de0b81", "indicator--587e7a81-f360-40d6-943b-42a502de0b81", "indicator--587e7a82-9c50-4923-bc1e-460002de0b81", "indicator--587e7a83-8088-4b4e-a146-43b102de0b81", "indicator--587e7a90-1318-4655-bfb4-4bcf02de0b81", "indicator--587e7a91-cfa8-4d57-8ff5-4e5602de0b81", "indicator--587e7aa0-3a6c-4023-9e36-4c6402de0b81", "indicator--587e7aa1-f6b4-4b0d-9e3c-400802de0b81", "indicator--587e7ac6-6f94-4ab2-a39b-4d0802de0b81", "indicator--587e7ac7-072c-4bb4-8650-46d702de0b81", "observed-data--587e7ac7-3a78-4e9e-aa27-436a02de0b81", "url--587e7ac7-3a78-4e9e-aa27-436a02de0b81", "indicator--587e7ac8-81ac-4b8b-9a34-422c02de0b81", "indicator--587e7ac9-c1ec-4401-bfc2-4def02de0b81", "observed-data--587e7aca-6bc4-44dd-b72a-449b02de0b81", "url--587e7aca-6bc4-44dd-b72a-449b02de0b81", "indicator--587e7acb-41a4-481b-a177-42b702de0b81", "indicator--587e7acc-5c98-4e6d-b6f3-4cf302de0b81", "observed-data--587e7acc-e2d4-4795-abf7-4afb02de0b81", "url--587e7acc-e2d4-4795-abf7-4afb02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:threat-actor=\"Anunak\"", "osint:source-type=\"blog-post\"", "veris:actor:motive=\"Financial\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--587e789e-d278-42a1-aa6a-457e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:03:42.000Z", "modified": "2017-01-17T20:03:42.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Forcepoint Security Labs\u00e2\u201e\u00a2 recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.\r\n\r\nCarbanak (also known as Anunak) are a group of financially motivated criminals first exposed in 2015. The actors typically steal from financial institutions using targeted malware. Recently a new Carbanak attack campaign dubbed \"Digital Plagiarist\" was exposed where the group used weaponized office documents hosted on mirrored domains, in order to distribute malware." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587e78b8-05ac-41d3-88b0-4a4902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:04:08.000Z", "modified": "2017-01-17T20:04:08.000Z", "first_observed": "2017-01-17T20:04:08Z", "last_observed": "2017-01-17T20:04:08Z", "number_observed": 1, "object_refs": [ "url--587e78b8-05ac-41d3-88b0-4a4902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587e78b8-05ac-41d3-88b0-4a4902de0b81", "value": "https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-command-and-control" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a5e-f1e8-4295-b5ce-473102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:11:10.000Z", "modified": "2017-01-17T20:11:10.000Z", "description": "3-ThompsonDan.rtf", "pattern": "[file:hashes.SHA1 = '1ec48e5c0b88f4f850facc718bbdec9200e4bd2d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:11:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a5f-6d14-4a0e-a94e-448802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:11:11.000Z", "modified": "2017-01-17T20:11:11.000Z", "description": "order.docx", "pattern": "[file:hashes.SHA1 = '400f02249ba29a19ad261373e6ff3488646e95fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:11:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a60-99e8-4a1c-afdc-4cc302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:11:12.000Z", "modified": "2017-01-17T20:11:12.000Z", "description": "claim.rtf", "pattern": "[file:hashes.SHA1 = '88f9bf3d6e767f1d324632b998051f4730f011c3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:11:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a72-c370-4b7e-853a-41bc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:11:30.000Z", "modified": "2017-01-17T20:11:30.000Z", "description": "Carbanak Google Apps Script C&Cs", "pattern": "[url:value = 'https://script.google.com/macros/s/AKfycbzuykcvX7j3TlBNyQfxtB1mqii31b4VTON640yiRJT0t6rS4s4/exec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:11:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a72-963c-4a15-8a07-4c6102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:11:30.000Z", "modified": "2017-01-17T20:11:30.000Z", "description": "Carbanak Google Apps Script C&Cs", "pattern": "[url:value = 'https://script.google.com/macros/s/AKfycbxxx5DHr0F8AYhLuDjnp7kGNELq6g27J4c_JWWx1p1nDfZh6InO/exec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:11:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a73-7e5c-4fb3-b848-4ce002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:11:31.000Z", "modified": "2017-01-17T20:11:31.000Z", "description": "Carbanak Google Apps Script C&Cs", "pattern": "[url:value = 'https://script.google.com/macros/s/AKfycbwZHCgg5EsCiPup_mNxDbSX7k7yBMeXWenOVN1BWXHmyBpb8ng/exec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:11:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a81-f360-40d6-943b-42a502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:11:45.000Z", "modified": "2017-01-17T20:11:45.000Z", "description": "Carbanak Google Forms C&Cs", "pattern": "[url:value = 'https://docs.google.com/forms/d/e/1FAIpQLScx9gwNadC7Vjo11mXLbU3aBQRrqVpoWjmNJ1ZneqpjaYLE3g/formResponse']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:11:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a82-9c50-4923-bc1e-460002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:11:46.000Z", "modified": "2017-01-17T20:11:46.000Z", "description": "Carbanak Google Forms C&Cs", "pattern": "[url:value = 'https://docs.google.com/forms/d/e/1FAIpQLSfE9kshYBFSDAfRclW8m9rAdajqoYhzhEYmEAgZexE3LQ-17A/formResponse']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:11:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a83-8088-4b4e-a146-43b102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:11:47.000Z", "modified": "2017-01-17T20:11:47.000Z", "description": "Carbanak Google Forms C&Cs", "pattern": "[url:value = 'https://docs.google.com/forms/d/e/1FAIpQLSdcdE7lTEiqV5MW3Up8Hgcy5NGkIKnLKoe0YPFriD4_9qYq9A/formResponse']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:11:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a90-1318-4655-bfb4-4bcf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:00.000Z", "modified": "2017-01-17T20:12:00.000Z", "description": "Carbanak C&Cs", "pattern": "[url:value = 'http://atlantis-bahamas.com/css/informs.jsp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:12:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7a91-cfa8-4d57-8ff5-4e5602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:01.000Z", "modified": "2017-01-17T20:12:01.000Z", "description": "Carbanak C&Cs", "pattern": "[url:value = 'http://138.201.44.4/informs.jsp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:12:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7aa0-3a6c-4023-9e36-4c6402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:16.000Z", "modified": "2017-01-17T20:12:16.000Z", "description": "Carbanak Cobalt Strike / Meterpreter DNS Beacon C&Cs", "pattern": "[domain-name:value = 'aaa.stage.15594901.en.onokder.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:12:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7aa1-f6b4-4b0d-9e3c-400802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:17.000Z", "modified": "2017-01-17T20:12:17.000Z", "description": "Carbanak Cobalt Strike / Meterpreter DNS Beacon C&Cs", "pattern": "[domain-name:value = 'aaa.stage.4710846.ns3.kiposerd.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:12:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7ac6-6f94-4ab2-a39b-4d0802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:54.000Z", "modified": "2017-01-17T20:12:54.000Z", "description": "3-ThompsonDan.rtf - Xchecked via VT: 1ec48e5c0b88f4f850facc718bbdec9200e4bd2d", "pattern": "[file:hashes.SHA256 = '7db1b8fd3ca8edbcb25a3849bad0182ea0b840e3cabc53c30b74af070d3ba247']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:12:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7ac7-072c-4bb4-8650-46d702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:55.000Z", "modified": "2017-01-17T20:12:55.000Z", "description": "3-ThompsonDan.rtf - Xchecked via VT: 1ec48e5c0b88f4f850facc718bbdec9200e4bd2d", "pattern": "[file:hashes.MD5 = '4b783bd0bd7fcf880ca75359d9fc4da6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:12:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587e7ac7-3a78-4e9e-aa27-436a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:55.000Z", "modified": "2017-01-17T20:12:55.000Z", "first_observed": "2017-01-17T20:12:55Z", "last_observed": "2017-01-17T20:12:55Z", "number_observed": 1, "object_refs": [ "url--587e7ac7-3a78-4e9e-aa27-436a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587e7ac7-3a78-4e9e-aa27-436a02de0b81", "value": "https://www.virustotal.com/file/7db1b8fd3ca8edbcb25a3849bad0182ea0b840e3cabc53c30b74af070d3ba247/analysis/1483977881/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7ac8-81ac-4b8b-9a34-422c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:56.000Z", "modified": "2017-01-17T20:12:56.000Z", "description": "order.docx - Xchecked via VT: 400f02249ba29a19ad261373e6ff3488646e95fb", "pattern": "[file:hashes.SHA256 = 'c9f3e017b921c3d90127b25ef2f0c770a7fcbb429177284115ad18569ba4a441']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:12:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7ac9-c1ec-4401-bfc2-4def02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:57.000Z", "modified": "2017-01-17T20:12:57.000Z", "description": "order.docx - Xchecked via VT: 400f02249ba29a19ad261373e6ff3488646e95fb", "pattern": "[file:hashes.MD5 = 'ae8404ad422e92b1be7561c418c35fb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587e7aca-6bc4-44dd-b72a-449b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:58.000Z", "modified": "2017-01-17T20:12:58.000Z", "first_observed": "2017-01-17T20:12:58Z", "last_observed": "2017-01-17T20:12:58Z", "number_observed": 1, "object_refs": [ "url--587e7aca-6bc4-44dd-b72a-449b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587e7aca-6bc4-44dd-b72a-449b02de0b81", "value": "https://www.virustotal.com/file/c9f3e017b921c3d90127b25ef2f0c770a7fcbb429177284115ad18569ba4a441/analysis/1484193729/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7acb-41a4-481b-a177-42b702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:12:59.000Z", "modified": "2017-01-17T20:12:59.000Z", "description": "claim.rtf - Xchecked via VT: 88f9bf3d6e767f1d324632b998051f4730f011c3", "pattern": "[file:hashes.SHA256 = '5c431c3c66b6dde35ffd528edca614b8b00ba7026714f431af8200f13098665f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:12:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587e7acc-5c98-4e6d-b6f3-4cf302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:13:00.000Z", "modified": "2017-01-17T20:13:00.000Z", "description": "claim.rtf - Xchecked via VT: 88f9bf3d6e767f1d324632b998051f4730f011c3", "pattern": "[file:hashes.MD5 = 'af53db730732aa7db5fdd45ebba34b94']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-17T20:13:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587e7acc-e2d4-4795-abf7-4afb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-17T20:13:00.000Z", "modified": "2017-01-17T20:13:00.000Z", "first_observed": "2017-01-17T20:13:00Z", "last_observed": "2017-01-17T20:13:00Z", "number_observed": 1, "object_refs": [ "url--587e7acc-e2d4-4795-abf7-4afb02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587e7acc-e2d4-4795-abf7-4afb02de0b81", "value": "https://www.virustotal.com/file/5c431c3c66b6dde35ffd528edca614b8b00ba7026714f431af8200f13098665f/analysis/1483178982/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }