Is this baidu banner ad domain really malicious

This is one of the 5 links in a banner ad from baidu in a game site.

htxp://cpro.baidu.com/cpro/ui/uijs.php?c=news&cf=2&ch=0&di=1&fv=16&jk=91e2023920fb9368&k=%B3%E8%CE%EF%BE%AB%C1%E9&k0=%B3%E8%CE%EF%BE%AB%C1%E9&kdi0=1&luki=2&n=10&p=baidu&q=7k7kcom_cpr&rb=0&rs=1&seller_id=1&sid=6893fb203902e291&ssp2=1&stid=116&t=tpclicked3_hc&tu=u1999822&u=http%3A%2F%2Fwww%2E7k7k%2Ecom%2Fflash%2F121308%2Ehtm&urlid=0 

I scan in Virustotal and get this: https://www.virustotal.com/en/url/e4482306d56d4ca8ae1d045674040ab506296797a9c0b80e57bdd419a68c7f17/analysis/1426867969/

In sucuri site check, it is detected as “MW:HTA:7” (http://labs.sucuri.net/db/malware/malware-entry-mwhta7).
see: http://sitecheck.sucuri.net/results/cpro.baidu.com
Is there a redirect to malware site as stated?

Hi rickyyeung,

The link you give is part of a PHISHing campaign, according to Sucuri’s:
Website Malware MW:HTA:7 htxp://cpro.baidu.com/cpro/ui/f.js" type="text/javascript"&g … ( View Payload )
Website Malware MW:HTA:7 htxp://cpro.baidu.com/cpro/ui/f.js"&g … ( View Payload )
Domain detected on spam or phishing campaigns. Details: http://sucuri.net/malware/entry/MW:HTA:7
This specific URL was identified in malicious campaigns to disseminate malware.
Example read here: http://www.whitefirdesign.com/resources/fgnfdfthrvbeepl-malware.html
Three warnings on this scan: https://asafaweb.com/Scan?Url=cpro.baidu.com
conditional redirects -htaccess malware - http://labs.sucuri.net/db/malware/malware-entry-mwhta7
Sucuri blacklisted - Site blacklisted for being used to distribute malware.
PHP / HPHP Compatibility Issues Detected - pol
IP badness survey: https://www.virustotal.com/en/ip-address/115.239.211.17/information/
Avast detects: Win32:Viking-CF -
Win32:Trojan-gen (a Spy-Agent family member)
Win32:Evo-gen [Susp]

polonus

No alerts here: http://urlquery.net/report.php?id=1426874099838

See: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fcpro.baidu.com%2Fcpro%2Fui%2Fuijs.php%3Fc%3Dnews%26cf%3D2%26ch%3D0%26di%3D1%26fv%3D16%26jk%3D91e2023920fb9368%26k%3D%25B3%25E8%25CE%25EF%25BE%25AB%25C1%25E9%26k0%3D%25B3%25E8%25CE%25EF%25BE%25AB%25C1%25E9%26kdi0%3D1%26luki%3D2%26n%3D10%26p%3Dbaidu%26q%3D7k7kcom_cpr%26rb%3D0%26rs%3D1%26seller_id%3D1%26sid%3D6893fb203902e291%26ssp2%3D1%26stid%3D116%26t%3Dtpclicked3_hc%26tu%3Du1999822%26u%3Dhttp%253A%252F%252Fwww%252E7k7k%252Ecom%252Fflash%252F121308%252Ehtm%26urlid%3D0&useragentheader=&acceptheader=

Redirecting here: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http://www.baidu.com/s?ie=utf-8%26wd=宠物精灵%26tn=7k7kcom_cpr%26rsv_lu=2_pa%26fenlei=mv6qUZNxTZn0IZRqIHD4rHb3nWc0T1d9mvF-uj0vPhfzrHuhPAc10AGo5HbkuHcsnWn4nWKhmWb1PW60IAYqnH03n1Tsn0KWuWYzgLK90ZFB5H00UZNopHYz0AP8IA3qPv_LpvPEUNqWTZc0TLPs5HD0TLPsnWYk0ZNzUjdCIZwsFHPKFHFAFHFAILILFHF7Pv_LpzRzwyPEUiRzwhu_mgPCFHFAnHckn103FHF7pZwV00&acceptheader=&useragentheader=

I attached an uri validation output in txt format.

polonus

In the cloud results from tracker-tracker tool:

-cpro.baidu.com/cpro/ui/uijs.php?c=news&cf=2&ch=0&di=1&fv=16&jk=91e2023920fb9368&k=%B3%E8%CE%EF%BE%AB%C1%E9&k0=%B3%E8%CE%EF%BE%AB%C1%E9&kdi0=1&luki=2&n=10&p=baidu&q=7k7kcom_cpr&rb=0&rs=1&seller_id=1&sid=6893fb203902e291&ssp2=1&stid=116&t=tpclicked3_hc&tu=u1999822&u=htxp%3A%2F%2Fwww%2E7k7k%2Ecom%2Fflash%2F121308%2Ehtm&urlid=0 -cpro.baidu.com/cpro/ui/uijs.php ad c=news&cf=2&ch=0&di=1&fv=16&jk=91e2023920fb9368&k=%B3%E8%CE%EF%BE%AB%C1%E9&k0=%B3%E8%CE%EF%BE%AB%C1%E9&kdi0=1&luki=2&n=10&p=baidu&q=7k7kcom_cpr&rb=0&rs=1&seller_id=1&sid=6893fb203902e291&ssp2=1&stid=116&t=tpclicked3_hc&tu=u1999822&u=htxp%3A%2F%2Fwww%2E7k7k%2Ecom%2Fflash%2F121308%2Ehtm&urlid=0 1572 2500 2015-03-20 22:09:10 (cpro|cbjs|hm).baidu.com nil Baidu Ads
Here there is a trojan see GTTP request given here: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Clicker-GF/detailed-analysis.aspx

See tracker tracker results mentioned there. Do not open links in the txt file into a browser. Info for research purposes only. Re: http://totalhash.com/network/dnsrr:www.mootolola.com (hash ip mutex pdb registry url useragent version).

pol