Hmm. Trying to get one of these tips to work.
Found an malicious download on a Mac and trying to track down how it got there.
https://www.virustotal.com/en/file/e7d2a3602f39d4cdacddf56432482275ac6185d440618 cd41691ccb2181c1846/analysis/is the download, which is infected with the Bundlore malware.
Here's what I figured out so far: Finder Info shows (under More info):
Where from: http://cdn.downloads-free-video.com/download/Mac/setup.dmg/?software=downloader& name=Setup.exe&clickid=22484897226853631&appid=778, http://www.zdurnalab.info/mac/178/v10/?did=mobit2&sub=w8VA26EHS2MTBFQL0OSGJLDI
Searching Safari history shows
http://www.zdurnalab.info/mac/178/v10/?did=mobit2&sub=w8VA26EHS2MTBFQL0OSGJLDI
was visited 2 days ago.
But ~/Library/Safari/History.plist doesn't contain the strings zdurnalab, downloads-free-video, or Downloader!
Looking through results of
open ~/Library/Caches/Metadata/Safari/History/
AHA! SOLVED! User was on that famous pirate ship torrent website (currently in the .la TLD); it served up the malware via an ad.
Ooh, think I found a security hole in Spotlight / Quickview ?! Got me an 0day? A mere Quickview shouldn't cause Safari to download a file. Good thing I always disable [Open "safe" files after downloading] in Safari (General tab).
... to be continued/edited!