Malwaretising Not Detected leading to ransom

This URL:
hxtps://u4661625.ct.sendgrid.net/wf/click?upn=8gGmuiNqVVjCGwsLoyaKntZMHPpfh2Jt2E7eH3-2B4JomsSSqpYkhgPYtpG5KjAgBPSQ0JU7PQfksgeQxpwIrxPNradtF6zTTo2aoHN3D0lEz4E6MpbyUbnJpeTdJF-2FTa7PSO-2F9aW5enksUOR-2BgaJ1BdmgPKnsEovTLz8NEFFqEJ7fqlQAtRK1dvSWHvl7O-2BpXGUE1aAA8WNruDAAdLKFXCEMErvsPRDQZ07yAM14-2FzGw-3D_KCdEmIBmwRcbxYEllRuKqMaPS8BClGRjLZggAh4Hqe-2B3oc8DOimWFLUZU9QktPw4qHLLOovhXD433IcQaRpgqkD714TuV6bVjwKg95-2Br0edov6U-2B-2FjDlxZAYGZYsAqEdK49mauHreiNYukK0L66ajTs4w-2FjNngQrvXLIPJUuUpWMktoh-2Ftfphz3XUTulkthQEXVjnfhKha5IPxKc2K82O56DdikSUl1uylAf2cqHsPNavmyKX-2Bgf0b09tL7fP3Is

Leads to JS Ransom:
https://www.reverse.it/sample/deda83aa5884767518c26113bb361139c0bc609b2398342cf0dc5fcc3446907f?environmentId=100

Binary isn’t Detected either:
https://www.virustotal.com/en/file/deda83aa5884767518c26113bb361139c0bc609b2398342cf0dc5fcc3446907f/analysis/1485834497/

Not Blocked by Avast!

Declared as Bad:
http://zulu.zscaler.com/submission/show/a6177bf6545bee87774135b5b610b4ae-1485834702

reported to avast

Again Malwaretising leading to JS Ransom is not being blocked:
hxtps://u4661917.ct.sendgrid.net/wf/click?upn=kwvk4fsZTM8E4KtjlLm5ESZGIuTFrNQ3PxhRmhqZpO-2F5f2j5ssOmCBHos5YnsicFK3iUnX1eLwPprocQaVt1AfIJPk2RM-2FeNWivS-2FKOqH2BFv-2FbALL06jCw-2F0Vlw93TIIVLtN2uC-2Be6ho0lAQZiFp6HCcAMw7nRaP44Dcl9pp4Gm6K5qqleVBowuOViThZWALx7-2FecTyIr3QQnjC6-2FfriIZg-2FLGopm6VaX2hhYqo4NJPmQA1O9lkB0AtpRuWm2Bc_ViSxnzjrtTSbf6qnPDct2cv3YEj5gl84KVvuhCsuErDQhlc7tJNbT9LCxbwyWTlG35i1kFgxu-2F1H7orgIpj-2BpGUJZHJKvC98gApeMYTZoS3IaPmdGEzEP01Og2j9eFFJ6bi-2FdPocIDqV9eCHac9VaKFxVUDF2wPopUYzLrU4s1GSv-2B42v-2Fi569f7zZ9oISeJM8F4JCW7246X6Sy3tTr3exjDQiAc6qdNe6QgOQFR5IQW1ukdXcsasKo3avAhI8SA

htxps://u4661825.ct.sendgrid.net/wf/click?upn=FU5u3b0ah0Qf8B1RXw-2FJy6YdfupHC3VITeIdUc5WxCmiV-2F0XYX2jquWoUcwJfWmNJySS1tJa1DAxB-2FP2HyT-2FeWoG9-2B4NOTVdyWX-2FIa6T0G7GoFrs7cp4hHCR9Nmbx04TRWypGge-2BGB8SzQCL-2Fx4Dwx4odiHi-2FJkuI-2BH-2B8tdY-2B76TLd14bYMHIxTSZ6DCrax7mKeFEA-2FTwwjcSqWNVb9IeG-2BAgju4OpKmIAvWWZiKD0jPV5lyAeOR-2BMhaKQBdYJ1g_Ae-2BFE6EUeCR76RNXmDmvhzk3fSegiOwHECtHqPmyLOvKPgDVjeM8XBICjCBt4MGu-2BfIBcn-2F15qyWuscUVCcsLaZ7emo3t49u57s1YnekJqPDOWkLLv8p90iwHAYTejjR3a-2Btk-2BP-2Fxy1MVVr2pGwN9XvF7n-2FdDtHMhUFQ3H1aA2Vj5MNvzHf2p8oUMi8ILpSBVALYt11vsC41MjdmepxassvNhNCVRsrERg1cU-2Bwr7i8-3D

hxtps://u4661876.ct.sendgrid.net/wf/click?upn=qB18aTfxXahQv3j3RG0Xp0S-2FgEYkH2nh1SrmqxmE3xLQ37bWj9UURvJj-2Bw-2FvxA6tXrgvBlGBqvSY55TWrRzjqNwNAHWTBz48b16l9ipJ7ikM6Be9p2bTxoo68uZlCwpBEtRZF81mCasOSLjfB5gwT-2BQeEJpJuyOq7dXDkF0kremp6luutV90a9xysLM-2B56LNm9TkuvXAA-2B-2Fv92vy4-2Fwk8I3cOK2sa0EpLbafG4NMR-2Frt4H2l-2FrMX6Pb0-2FOoGsZ0l_BGx9O7V78Or-2Bco8IT-2F1DTRnTTqsXqqMB-2FxEJ8XXlQgrJkcD8Z0hPd9j9ycykNJ-2Fk7G3AjS45n0QBinJ37vgJStsKTrNXn-2B3n2Fon-2B46krGFbvqRn5C3TTroB1fd-2FO-2BIL-2BEeRNBMS2OPK5vqsAPOW-2BMZS1zKesMDRcEfN054gHIfo8lr4t-2BCefepzpi7M3L70R1e9NpkQAR5H1DVKSNY1OYp1p-2Fp64mZMINv8tOYOCjQ-3D

hxtps://u4661825.ct.sendgrid.net/wf/click?upn=FU5u3b0ah0Qf8B1RXw-2FJy6YdfupHC3VITeIdUc5WxCmiV-2F0XYX2jquWoUcwJfWmNJySS1tJa1DAxB-2FP2HyT-2FeWoG9-2B4NOTVdyWX-2FIa6T0G7GoFrs7cp4hHCR9Nmbx04TRWypGge-2BGB8SzQCL-2Fx4Dwx4odiHi-2FJkuI-2BH-2B8tdY-2B76TLd14bYMHIxTSZ6DCrax7mKeFEA-2FTwwjcSqWNVb9IeG-2BAgju4OpKmIAvWWZiKD0jPV5lyAeOR-2BMhaKQBdYJ1g_Ae-2BFE6EUeCR76RNXmDmvhzk3fSegiOwHECtHqPmyLOvKPgDVjeM8XBICjCBt4MGu-2BfIBcn-2F15qyWuscUVCcsLaZ7emo3t49u57s1YnekJqPDOWkLLv8p90iwHAYTejjR3a-2Btk-2BP-2Fxy1MVVr2pGwN9XvF7n-2FdDtHMhUFQ3H1aA2Vj5MNvzHf2p8oUMi8ILpSBVALYt11vsC41MjdmepxassvNhNCVRsrERg1cU-2Bwr7i8-3D

https://www.virustotal.com/en/file/deda83aa5884767518c26113bb361139c0bc609b2398342cf0dc5fcc3446907f/analysis/1485835119/

Reported.

This is while running the beta. 17.1.2284

Behavior shield in action.

Its good to see this and thanks for the info still avast! should be blocking such malwaretised ads.

There are 3 red flags for the domain on zscalar that lead to ransom:
http://zulu.zscaler.com/submission/show/a6177bf6545bee87774135b5b610b4ae-1485834702

I investigated the rest they seem clean.

In order to detect malvertising all text on a page and what images are showing must be analyzed.

I can advertise a car and say it has 300 Kwh while it in reality has 50.
Good luck detecting that.

Atleast the concerned redirects to the malware can be blocked.By the way avast! is now detecting the js.