Avast WEBforum

Other => Viruses and worms => Topic started by: Heewoon on January 17, 2022, 10:37:52 AM

Title: soundartifacts
Post by: Heewoon on January 17, 2022, 10:37:52 AM
(Do not go there, it is malicious.)

About 3 weeks ago I got this message saying the connection with soundartifacts.com was aborted. It was detected by Web Shield and the process was Google Chrome, my browser. What I want to know is what 8s this threat?!?
When I first opened the tab for soundartifacts.com, it was pretty much normal, didn't look like a scam. After a few days or so, I tried to check VirusTotal. It said no engines detected the threat, even Avast! Maybe it has something to do with my local system. I am using Windows 11 Home. When I first went to that site, it said my internet connection was gone. When I tried to go to the control menu on the taskbar to check for Wi-Fi, the Wi-Fi icon was gone. Also, Avast kept saying Loading... after this. I booted again after a while to see the syste was fully functioning. The Wi-Fi tab is back again, Avast works, and everything else is working the way it should.
Frozen in fear, I quickly did a Full Scan and checked for virus definition updates. Everything was ok, and Avast said thee was no malware after the scan.

About a week before I checked VirusTotal, rescanned the website, and saw that one security vendor marked this as malicious. I still don't know to this day what was wrong, but I guess it actually was malware.

VirusTotal Link: https://www.virustotal.com/gui/url/d2ba9b0222c38fa91357cb71e338fcd4725c37e78be2c8f48f46dd281baf8958

Thanks in advance!
Title: Re: soundartifacts
Post by: Asyn on January 17, 2022, 02:53:31 PM
-> https://sitecheck.sucuri.net/results/soundartifacts.com
Title: Re: soundartifacts
Post by: DavidR on January 17, 2022, 05:35:29 PM
Does't get any better here - https://snyk.io/test/website-scanner/?test=220117_BiDcM6_5f2b23a1a25bb4b435df19d64d0950a7&utm_medium=referral&utm_source=webpagetest&utm_campaign=website-scanner
Title: Re: soundartifacts
Post by: polonus on January 17, 2022, 09:48:19 PM
Already flagged by two vendors as malicious:
See: https://quttera.com/detailed_report/soundartifacts.com
and https://quttera.com/detailed_report/soundartifacts.com detected 1 HTTP redirect

The suspicious link: htxps://load5.biz/?pu%3Dmm4dgmzvge5ha3ddf4ztqmzw
which link has been blacklisted: https://sitecheck.sucuri.net/results/https/load5.biz/?q=pu%253Dmm4dgmzvge5ha3ddf4ztqmzw

Severity:   Potentially Suspicious
Threat:   PS.JS.Obfuscantion.gen
Reason:   Detected obfuscated JavaScript code used to hide suspicious activity
Details:   Detected procedure that is commonly used in suspicious activity.
Line:   1
Offset:   21442
Threat dump:   View code  - [p+"png/fd035XXXXXXXXXaa42adc8b87aa7791.png"} etc. (X by me, pol)
Threat dump MD5:   F7923870AE5F3E2F3C64F36B18A10379
File size[byte]:   99793
File type:   ASCII
Page/File MD5:   DDB0BC034070D2D6741C7D1DE8049F81
Scan duration[sec]:   3.721
Read on this generic threat: https://www.f-secure.com/v-descs/trojan_js_obfuscated_gen.shtml
This generic detection identifies files (HTML, PDF JavaScript or scripts) that contain obfuscated code, which may be used by malware authors to evade detection by security products, or analysis by security researchers. (source: info as found on mentioned page).

Title: Re: soundartifacts
Post by: Heewoon on January 27, 2022, 09:34:01 AM
Yes, the site check is prety weird since it says the domain was not found. This site is malicious, though. But the weird thing is when I visit it from mobile, it is not identified as a malware. So on mobile, it is fine, the site works as it should be.

Is there a possibillity that this may be a false positive?
Title: Re: soundartifacts
Post by: polonus on January 27, 2022, 03:57:02 PM
When you block or miss this external link: -https://load5.biz/?pu%3Dmm4dgmzvge5ha3ddf4ztqmzw
which is flagged by nine vendors as malicious, so that cannot be an FP.

Dr.Web   adult content/known infection source
Forcepoint ThreatSeeker   potentially unwanted software
Sophos   spyware and malware (insecure = - / htxp://ip-185-177-94-108.ah-server.com/