Skip to main content

Hi,
We have some issues with a html that shows a circle loader. This html is categorised as malware by netskope: 

  • malware name: Trojan.HTML.MALINK.FASJSNORS
  • md5: 51618ac2b7cf5c4937213e965c00f20a
  • Sha256: 0b41f69e6564b9c89b1b344744c5b06eb4adc0e584028909286d2b936e1afed5

This is the script content that loads the HTML:

 

<script language="Javascript">var _skz_pid = "9POBEX80W";</script>
<script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script>

 

 

In virustotal, it is also categorised as malware

Searching in url scan, you can see several webpages with this hash, but it always refer to 40X HTTP response.
This is one example: https://urlscan.io/result/7d7170fa-b6d7-43bd-87da-df6028f0a753/ 

 

Reading this post, it seems that some hosting server, wordpress plugis, etc, are using this html loader template instead of 404 page.

Most likely, some malware was pointing to some server, but then , the malware content was deleted and then antivirus engines started to categorised this loader as a malware.

I've had the MD5 to the allowList hashes, but I think this should be re-categorised.

Be the first to reply!

Reply