Macro malware on site detected or site already being taken down?

[polonus]

Re: https://urlhaus.abuse.ch/url/154452/  (where avast at that moment did not flag)...
see: https://www.virustotal.com/en/file/0b4fcb67793121c0d9b806414d9a1065900489074d6b7a63bfc88eb2d8263385/analysis/1551976716/

Word Press configuration issue: Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled
/wp-content/uploads/      enabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

21 hints for improvement: https://webhint.io/scanner/6bce264a-a154-465a-bfd9-62a5eec81efe

Not flagged here, recent scan: https://www.urlvoid.com/scan/justinsimanjuntak.com/

DOM XSS Scan = Results from scanning URL: -http://justinsimanjuntak.com
Number of sources found: 3 ; number of sinks found: 186

F-grade scan results and other issues: https://observatory.mozilla.org/analyze/justinsimanjuntak.com

Scan hick-up: https://sitecheck.sucuri.net/results/justinsimanjuntak.com
-> https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=anVzdFtuc1ttfG5qdW50fGsuXl1t~enc

abuse on IP -> https://www.shodan.io/host/180.235.148.70
Re: https://www.abuseipdb.com/check/180.235.148.70  -> https://censys.io/ipv4/180.235.148.70
and reported for PHISHING: https://checkphish.ai/ip/180.235.148.70  (745 times during the last 30 days)

polonus (volunteer 3rd party cold reconnaissancde website security analyst and website error-hunter)

[Pondus]

Macro malware on site detected or site already being taken down?

urlQuery will tell you with a screenshot   

Seems to be a fake.doc that download emotet banking trojan if run

and yes it is alive

[polonus]

No content being returned: https://toolbar.netcraft.com/site_report?url=http://justinsimanjuntak.com
See detections on IP: https://www.virustotal.com/#/ip-address/180.235.148.70
But this uri resolves and is malicious: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=anVzdFtuc1ttfG5qdW50fGsuXl1tYHdwLXwjbVtuYHR9dXN0Lm15fF5eLnN7biMuYlt6YA%3D%3D~enc
Two engines to detect: https://www.virustotal.com/#/url/ab5e26cf5897a6c285c2fb101f2506da578a458b1ea8c545b54463a2720f71f3/detection
How is that, Pondus, some more recent VT data on file detection there?
Emotet flagged: https://www.virustotal.com/#/file/474e6447f8ae6a09da055b0292e6a600e1383d45ef35710493639e77af645a8d/detection
Probably Macro doc malware..

Who has the final verdict here? When you say Norwegians have the last say, they say probably not wit malcode:
https://urlquery.net/report/eb21d795-8680-410b-a48a-f5ff24b4d508

Maybe an avast team member can confirm this. Sad for the urlHaus detection...that is then a FP.
Or it is like Pondus says and we have some malcode to flag...

Damian aka polonus

[Pondus]

Downloaded samples (fake.doc) from that URL

eFILE_030720191495.doc
https://www.virustotal.com/#/file/0b4fcb67793121c0d9b806414d9a1065900489074d6b7a63bfc88eb2d8263385/detection

Secure_Email_file_89419921.doc
https://www.virustotal.com/#/file/ef123208e736851fc25c0b6842e9e259848edbb1aebb444d82bdcfd21b73690c/detection

eINVOICE_2019030721328.doc
https://www.virustotal.com/#/file/474e6447f8ae6a09da055b0292e6a600e1383d45ef35710493639e77af645a8d/detection

urlQuery show screenshot of file, see click pic at top right
https://urlquery.net/report/24288410-f728-4b46-ba99-6dda9a27990d

[Pondus]

eFILE_030720191495.doc
https://www.virustotal.com/#/file/0b4fcb67793121c0d9b806414d9a1065900489074d6b7a63bfc88eb2d8263385/detection

Payload from this fake.doc >>


455.exe 
https://www.virustotal.com/#/file/2d750a2cdfff0fbb0b5fb5ee5c40d6336e9e2beac3ce3d93ce77637a782e4cbf/detection

[polonus]

Another emotet detection here: https://urlhaus.abuse.ch/url/154683/
Re: https://www.virustotal.com/en/file/796027d77d8f8d01b48d634bd3814c98d2de7a747ab1b9fb2f771759b05ec3ef/analysis/1551998557/
Not flagged by DrWeb's: Checking: -http://abdillahsystem.com
Engine version: 7.0.34.11020
Total virus-finding records: 7524334
File size: 98.54 KB
File MD5: 03746cd185ec3aed9cef53874c148fa0

-http://abdillahsystem.com - archive JS-HTML
>-http://abdillahsystem.com/JSTAG_1[501][1529] - archive BASE64
>>-http://abdillahsystem.com/JSTAG_1[501][1529]/0.part - Ok
>-http://abdillahsystem.com/JSTAG_1[501][1529] - Ok
>-http://abdillahsystem.com/JSTAG_2[40b3][17ac] - archive BASE64
>>-http://abdillahsystem.com/JSTAG_2[40b3][17ac]/0.part - Ok
>-http://abdillahsystem.com/JSTAG_2[40b3][17ac] - Ok
-http://abdillahsystem.com - Ok

Blacklisted by SpamHaus: https://sitecheck.sucuri.net/results/abdillahsystem.com
Consider: https://www.shodan.io/host/202.67.9.90
The not secure connection to phpinfo() linux blackbox web id. etc. https://www.virustotal.com/#/domain/abdillahsystem.com

See: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fGIjW2xsfGhzeXN0e20uXl1tYA%3D%3D~enc

Does avast flag it in PUP mode?

polonus

[Pondus]

-xxxx://abdillahsystem.com/sekolah/trust.accounts.docs.biz/
That one seems to be taken down