dougjp
1
At this site, unfortunately you have to be a subscriber to download the newsletter, so it won’t be easily possible to check. All previous months’ pdf newsletters downloaded fine. Screen shot of the error message is below.
http://www.paintingezine.com/
I have corresponded with the site, they have another complaint which coincidentally is from an Avast AV user, no other complaints from others.
http://home.powergate.ca/~dougjp/Paintingezine.jpg
how private link only you have access
PDF they are not malicious contain link to sites external
I have not received any alerts.
redirects
< script type='text/javascript' src=hxxp://stats.wp.com/e-201540.js' async defer> < / script >
Blacklist
https://www.virustotal.com/en/url/0a3e4ef5625e1ca6dd4ba54c16cfd77d4dbf66a4a25e3354c8b55256320667c3/analysis/1443817639/
https://urlquery.net/report.php?id=1443817584436
dougjp
4
I’m “struggling to keep up” in terms of understanding. However I’ll try by saying those links both of you provided seem to conclude there is no problem with the site or the file, and Avast incorrectly identified the download. Ie; its a false positive and shortly an updated virus definition will solve Avast’s problem.
Is this correct, yes/no?
Seems a larger campain, see these scan results: https://urlquery.net/report.php?id=1443826150664
For the malware flagged by Fortinet’s → https://www.virustotal.com/nl/url/9541793536572b449d19fe297bd9dbd737b48deff438fe24204189530ee23289/analysis/
but here no results: https://www.virustotal.com/nl/file/01a2603f5878905ffb8eb7a8c8ea5323a56c559405b608b2b07736bb1d8cc137/analysis/1440856103/ DrWeb gives as clean - others flag anomalies → http://www.domxssscanner.com/scan?url=http%3A%2F%2Fstats.wp.com%2Fe-201540.js → WordPress Theme
The theme has been found by examining the path /wp-content/themes/ theme name / h4
Linked javascript: -https://s1.wp.com/home.logged-out/js/modernizr.js?v=2
See: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fs1.wp.com%2Fhome.logged-out%2Fjs%2Fmodernizr.js%3Fv%3D2
as given clean here: https://www.reasoncoresecurity.com/modernizr.js-e151eacb7cf103f5487611c66ebbb18e259e2f88.aspx
seems OK: http://toolbar.netcraft.com/site_report?url=https://s1.wp.com
As these were Fortinet’s Web Filter Web Traffic Detections the last word should come from Avast Team whether these are genuine detections or anomalies that can be classified as false positive? So let us wait for the fiinal word from Avast Team.
The anomaly I get flagged with a Javascript check on : s1.wp.com/home.logged-out/js/modernizr.js?v=2= Suspicious code
ect|textarea|object|iframe|option|optgroup)$/i,f=/^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|label|li|ol|p|q|spam|strong|table|tbod
Could be Adware and spy call option chain malcode…
polonus (volunteer website security analyst and website error-hunter)
HonzaZ
6
dougjp,
without the file, we cannot do much. The detection name is a generic name for a PDF, in which a link to a blocked URL is. Can you send the file to virus@avast.com or submit a ticket via support.avast.com? If you do, post the info here or shoot me a PM and I will look into it.
Thanks!
Honza
system
7
hххp://paintingezine.com/?wpdmdl=3606 —>> PaintingEzine_October2015.pdf (22.3 Mb ( 23350138 bytes ))
https://www.virustotal.com/ru/file/8af57a8ea59523c2f6c5d4adda21939f31f0ea36b2b89cb17c32a8ebe9f4b731/analysis/1443945457/
HonzaZ
8
Oops, I thought he said private, so I didn’t even test it :-).
In this case, Avast complains about seeing a clickable link to “gmil.com”, which we block. I suppose this is a typo, isn’t it? If you remove/correct it, Avast will stop complaining.
dougjp
9
Thanks so much for that! Now that I have this specific information I’m getting in touch with the site. Being a small subscription type ezine, my bet is its a typo in an e-mail link and not intentional use of gmil.com. My wife just went to the site and successfully downloaded past months’ issues but not the latest one, which seems to confirm this.
