- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
I am relaxing when a PDF pops up and I have to inspect this file.
I open said PDF in Notepad++ and search "http".
I find a link to view-source:http : //monks dot org /cache/rZSOPqvMEj/bolero_Haplodoci.html
I have of course added this link, so http : //monks dot org /cache/rZSOPqvMEj/bolero_Haplodoci.html is the actual link but be careful.
Now we know this just redirections to loubanas, wtf is this?
Time to again use view-source on https : //loubanas . xyz/3wFzHB ( ALSO DO NOT CLICK ) view-source:https : //loubanas . xyz/3wFzHB
We can beautify the above, to easier read this.
Unfortunately, it would appear that when you load the website hosted by 49.51.172.149 (Tencent owned), you are 302 redirected to Google. This is pretty freakin' weird!
What are they doing.. the generated PDF attached name is Unpaid_Inv#547Y.pdf
They are really just mass-mailing everyone most probably.. to open the PDF, click, and redirect.
Very damn strange.
In other cases, you may find this redirects to malicious software or a cryptominer, make sure to use this URL scanning tool to check any and all link/redirects you find for malware:
urlscan.io
I open said PDF in Notepad++ and search "http".
I find a link to view-source:http : //monks dot org /cache/rZSOPqvMEj/bolero_Haplodoci.html
I have of course added this link, so http : //monks dot org /cache/rZSOPqvMEj/bolero_Haplodoci.html is the actual link but be careful.
Code:
<head>
<meta name="description" content="ok file uploaded">
<meta http-equiv="refresh" content="0;URL=https://loubanas.xyz/3wFzHB"/>
</head>
<body>
<!-- Hello! -->
</body>Now we know this just redirections to loubanas, wtf is this?
Time to again use view-source on https : //loubanas . xyz/3wFzHB ( ALSO DO NOT CLICK ) view-source:https : //loubanas . xyz/3wFzHB
Code:
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta charset="UTF-8"><meta content="origin" name="referrer"><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp" name="robots"We can beautify the above, to easier read this.
Unfortunately, it would appear that when you load the website hosted by 49.51.172.149 (Tencent owned), you are 302 redirected to Google. This is pretty freakin' weird!
What are they doing.. the generated PDF attached name is Unpaid_Inv#547Y.pdf
They are really just mass-mailing everyone most probably.. to open the PDF, click, and redirect.
Very damn strange.
Code:
*Possibly malicious web addresses below*
https://loubanas.xyz/3wFzHB
http://monks.org/cache/rZSOPqvMEj/bolero_Haplodoci.htmlIn other cases, you may find this redirects to malicious software or a cryptominer, make sure to use this URL scanning tool to check any and all link/redirects you find for malware:
URL and website scanner - urlscan.io
urlscan.io - Website scanner for suspicious and malicious URLs
urlscan.io
Last edited: