... When it's an exploit of course!
This URL (vURL results, PDF);
wants us to believe it's a forum, that's going to let us view the respective topic associated with the ID in the s= variable. Alas however, it's neither a valid ID, nor a forum at all. What you'll actually get, is a whole host of badness battered down the pipes onto your poor machine.
And what badness do you get? Glad you asked! The above URL, loads two additional URL's that deliver the payload;
SWF (flash) file
These files have one purpose - to deliver the payload. The payload itself comes from;
The payload is a 39K file called pdfupdate.exe, and VT results as of December 29th, were absolutely rubbish, with only 3 vendors detecting it;
I've just submitted it to VT again, to see if the detections have improved yet, and though they could still be better, the 3 vendors is now up to 19;
The file is UPX packed, and unpacking it shows a 79K file, that according to VT reports is a fake alert (otherwise known as "this is gonna infect yer poor machine and ask you to pay it for the privilege of doing so").
I don't have my test box up at the moment as I'm busy with work, and sorting out a server issue, but the Anubis results for the unpacked file, can be found here. Of interest, is the following, which indicates the presence of a rootkit;
I did however, notice the following bit of confusion, when looking at the file in FileInsight;
Nope, I've no idea what that's about either.
The site resides at 18.104.22.168, and my database is showing this entire /24 as being dirty (so nope, not just a case of the sites being hacked). Malicious activity seen within this /24 includes;
The /24 lies within a range (22.214.171.124/22) owned by;
Desc: JINGXUN Beijing Jingxun Public Information Technology Co., Ltd
Sunbelt sandbox results
Microsoft Malware Protection Center (results will be here once analysis is finished)
The following shows some interesting stats regarding the exploit pack being used here (Fragus/Nulled);