Malicious site or just an innocent txt representation?

My firekeeper extension in my browser alerted me to this when visiting the URL:
=== Triggered rule ===
alert (msg:“The address you tried to access points to a Malware. Please visit http://www.malwarepatrol.net for more information”; url_content:“htxp://spth.virii.lu”; reference:url,www.malwarepatrol.net; fid:642459; rev:20130926145254;)

=== Request URL ===
htxp://spth.virii.lu/rrlf6/utilities/split.htm

Normalized URL: htxp://spth.virii.lu:80
Submission date: Thu Sep 26 17:00:19 2013
Server IP address: 80.90.43.162
Country: Luxembourg
Malicious files: 1
Suspicious files: 0
Potentially Suspicious files: 0
Clean files: 105
External links detected: 364
Iframes scanned: 0
Blacklisted: No

Malicious files: 1

/cb5/cb5418.txt
Severity: Malicious
Reason: Detected known malicious content.
Details: Threat detected according to previously retrieved information
File size[byte]: 651
File type: ASCII
MD5: AC54C53CEAD78F2967DE2BF0B48DE823
Scan duration[sec]: 0.001000

https://www.virustotal.com/en/ip-address/80.90.43.162/information/

See: http://scanurl.net/?u=http%3A%2F%2Fspth.virii.lu%2Frrlf6%2Futilities%2Fsplit.htm&uesb=Check+This+URL#results
Quttera scans as malicious: http://www.quttera.com/detailed_report/spth.virii.lu
Malicious files: 1

/cb5/cb5418.txt
Severity: Malicious
Reason: Detected known malicious content.
Details: Threat detected according to previously retrieved information
File size[byte]: 651
File type: ASCII
MD5: AC54C53CEAD78F2967DE2BF0B48DE823
Scan duration[sec]: 0.001000

Also detected by Netcraft:
=== Triggered rule ===
alert (msg:“The address you tried to access points to a Malware. Please visit http://www.malwarepatrol.net for more information”; url_content:“htxp://spth.virii.lu”; reference:url,www.malwarepatrol.net; fid:642459; rev:20130926145254;)

=== Request URL ===
http://mirror.toolbar.netcraft.com/check_url/v2/http://spth.virii.lu/1348086690/info

Is this a threat or just an innocent txt representation of a malcode tool?
Please comment?

polonus

It is also blocked by Trend Micro: http://global.sitesafety.trendmicro.com/result.php
As Disease Vector.

Malicious to ZScaler: http://zulu.zscaler.com/submission/show/de2d8f8508bf573c575ae6aac2344422-1380211269

Someting not right with the certification as well, see
Certificate does not match name spth.virii.lu

Subject adamas.ai
Valid from 10/Jan/2013 to 10/Jan/2014
Issuer adamas.ai

SSL Certificate is not trusted
The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

http://spth.virii.lu/rrlf6/css/style_all.css flagged as malicious external link
{“timestamp”: “1380222385”, “sha256”: “5d41fd767e8bed0e8f0a10236387c430caac3f96b98d806745dcab5dddcaf2a4”, “analysis_url”: “/en/url/5d41fd767e8bed0e8f0a10236387c430caac3f96b98d806745dcab5dddcaf2a4/analysis/1380222385/”, “result”: 1, “verbose_msg”: “Invalid URL”}
Given as benign here: http://wepawet.iseclab.org/view.php?hash=ac71e7e4b530c8fddf8d74a0182664af&t=1380222477&type=js

pol

This is more like what we are looking for, this report - a bad webrep site:
See: http://app.webinspector.com/public/reports/17388672?cache=true (supporting my evaluation as innocent txt file)
See: http://app.webinspector.com/public/reports/17392931https://www.malwarepatrol.net/cgi/search.pl?id=VHJvamFuLlZCUy5VbWJyaWVsLmE=https://www.virustotal.com/en/file/1200c188a37466403682042fd8c768fc706601b1093897fee306ffd064239ea7/analysis/
which file avast! detects as VBS:Shutdown-R [Trj]
http://wepawet.iseclab.org/domain.php?hash=a896259dbf430791d67b8e6f7f9786b9&type=js
and with this scan we rounded our circle of scans: http://wepawet.iseclab.org/view.php?hash=794b97dfcb1f6512dbac8e7decf4bb62&t=1375870095&type=js
Verdict: suspicious

polonus

Honza Zika from Avast does not think that the site is malicious.

Hi Steven Winderlich,

I agree here with Honza Zi. This is a tool code txt file and “an sich” non-malicious and no immediate threat to the computer that opens up that uri. The tool could be used to abuse however, so that it is why some may flag it. The main domain carries live malware files, as was also mentioned. Web rep of that domain should be accordingly suspicious,

polonus