Question Safari downloads random ZIP file

Jun 5, 2019
8
1
15
So, I've been experiencing something weird.

Safari has downloaded a random ZIP file twice so far. The download was made while browsing Facebook and WhatsApp respectively. The ZIP file is called 2018-2019.zip and contains an alias. I did not open the alias file, however, the properties window says the original file is in /net/nfsdelivery.duckdns.org/nfs/2018-2019. I tried to find information on the web about this but found nothing.

I have only one extension installed, Adguard. Which I've been using for years now without a single problem.
I'm running MacOS High Sierra 10.13.6 on a MBP late 2012.

I just don't get it. Maybe I got infected with Malware or spyware somehow?

Thanks in advance.
 

dlouzan

Great
Jun 6, 2019
13
4
65
I have just experienced exactly the same thing. Any news? It really looks weird. In my case I think it happened after opening a wikipedia page, though I'm not 100% sure.

I'm on the very latest version of macOS 10.14.5 and Safari 12.1.1 as of today, on a 2017 MacBook Pro.
 
  • Like
Reactions: Ginko-san

dlouzan

Great
Jun 6, 2019
13
4
65
A couple of extra info: My Safari had the setting to auto-open zip files setting (bad), and I used the console to check what is in there, found the data below.

Code:
$ ls -lisa ~/Downloads/2018-2019
total 3040
8631846338    0 drwxr-xr-x@  4 diego  staff      128 Jun  6 12:40 .
    633747    0 drwx------  27 diego  staff      864 Jun  6 13:26 ..
8631846340 3040 -rw-r--r--@  1 diego  staff  1554944 Jun  3 15:49 ...
8631846341    0 lrwxr-xr-x   1 diego  staff       42 Jun  6 12:40 2018-2019 -> /net/nfsdelivery.duckdns.org/nfs/2018-2019

Code:
$ ls -lisa /net/nfsdelivery.duckdns.org/nfs
total 42
1028437 8 drwxrwxrwx  6 root  wheel  4096 Jun  5 23:32 .
      7 2 dr-xr-xr-x  3 root  wheel     2 Jun  6 12:40 ..
1415877 8 drwxrwxrwx  5 root  wheel  4096 Jun  5 23:32 2018-2019
131248 8 drwxrwxrwx  3 root  wheel  4096 Jun  5 12:39 DaisyDisk
1161937 8 drwxrwxrwx  3 root  wheel  4096 Jun  3 14:09 DaisyDisk.bak
1162111 8 drwxrwxrwx  3 root  wheel  4096 Jun  4 12:37 Documentos
 
  • Like
Reactions: Ginko-san
Jun 5, 2019
8
1
15
Okay so, I found this thread on Apple. It's a day old and the person who posted it has experienced the exact same thing.

Apple thread

Someone suggested that Safari could've been infected with malware, oddly enough I have not downloaded anything nor browsed through shady webpages. I checked all Safari settings as they suggested but found nothing abnormal. No new extensions, the homepage didn't change and the Proxy settings were just fine.

Nevertheless, I will run Malwarebytes and share the results here.
 
Last edited:

dlouzan

Great
Jun 6, 2019
13
4
65
Okay so, I found this thread on Apple. It's a day old and the person who posted it has experienced the exact same thing.

Apple thread

Someone suggested that Safari could've been infected with malware, oddly enough I have not downloaded anything nor browsed through shady webpages. I checked all Safari settings as they suggested but found nothing abnormal. No new extensions, the homepage didn't change and the Proxy settings were just fine.

Nevertheless, I will run Malwarebytes and share the results here.

Thanks for the link, I just did that a while ago, no threats reported and I also checked the instructions about extensions and proxies in Safari. Nothing had been changed.

Additionally: you should edit the Apple thread link and remove the session id param, it won't open otherwise.
 
Jun 6, 2019
7
0
10
I am the guy from the Apple forums, I don't think that is a malware because the PDF app, but anyways I will search more about this thing, and I think that is an Apple app
 
Jun 6, 2019
7
0
10
hey guys, when Safari downloaded that file, did you had a document in your desktop? or have you ever used the import from iPhone utility that appears when right clicking the desktop to scan a document?
 
Jun 5, 2019
8
1
15
hey guys, when Safari downloaded that file, did you had a document in your desktop? or have you ever used the import from iPhone utility that appears when right clicking the desktop to scan a document?

I'm afraid not. I was simply browsing the internet when the download occurred.
 
Last edited:

dlouzan

Great
Jun 6, 2019
13
4
65
Where did you get that link? in the browser history? The github group does not exist, the link returns a 404

By the way, it totally looks like malware. The link uses the string 'rnaster' instead of 'master' to make it look like a hosted raw file in the repository, but it was most probably a malicious file in the source code of the repo.
 
  • Like
Reactions: ipozow
Jun 6, 2019
7
0
10
I was in a dictionary page, then I started to do other things in my computer, browsing in new tabs and stuff and then I saw that GitHub error page, and I searched from where did that come and resulted that the previous page was the dictionary page and I did not entered that link
 
Jun 6, 2019
7
0
10
By the way, it totally looks like malware. The link uses the string 'rnaster' instead of 'master' to make it look like a hosted raw file in the repository, but it was most probably a malicious file in the source code of the repo.
hopefully is not but I have contacted GitHub to see if they know something about that, if it was a repo or what and if they deleted it
I don't think that I will get an answer but it's good to try