home

pwdremover.exe

PDF Password Remover v5.0

Lingwen Global Software Co., Ltd.

The application pwdremover.exe, “PDF Password Remover v5.0 Setup ” by Lingwen Global Software Co. has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from pdf-password-remover.en.softonic.com and multiple other hosts.
Publisher:
VeryPDF.com Inc.   (signed by Lingwen Global Software Co., Ltd.)

Product:
PDF Password Remover v5.0

Description:
PDF Password Remover v5.0 Setup

MD5:
c54f3bb2e7cfaea7e8fec97475b185b9

SHA-1:
c04a2a17dc85331ae48fadf4f901eae4d38b7276

SHA-256:
0c219b1b32901fe3566ec7a7a674a829d4f0d882604dfc87fefce794b181d3a4

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
12/26/2024 5:47:22 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore.CSH (L)
16.12.2.2

Sophos
PDF Decrypt (PUA)
4.98

File size:
1.2 MB (1,237,568 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\Documents and Settings\{user}\My documents\downloads\programs\pwdremover.exe

Digital Signature
Signed by:
Lingwen Global Software Co., Ltd.

Authority:
COMODO CA Limited

Valid from:
5/12/2016 8:00:00 AM

Valid to:
5/13/2017 7:59:59 AM

Subject:
CN="Lingwen Global Software Co., Ltd.", O="Lingwen Global Software Co., Ltd.", STREET="26­West Area, 7/F, No.5,", STREET="Guangyuanzha, Zizhuqiao Rd.,", L=Haidian District, S=Beijing, PostalCode=157, C=CN

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
2E9FB9FFD00058DF121C77E2C5C808A6

File PE Metadata
Compilation timestamp:
6/20/1992 6:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:EQiJ5XJo9HbRhFhiSVN6LZYu/wXTMNC7+B4vfkc1ywX1nBHnl7uK:E9Zo97RhDR6LZYuIXUC7+SE4ywX1BHb

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9860

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file pwdremover.exe has been seen being distributed by the following 8 URLs.

https://pdf-password-remover.en.softonic.com/download-tracker?th=1/6CH9aeXedl4L8u BHNJXWTW LP1LFlnGQpxqjlxAMoF3ivMrAkL/.../vQBYG7yjBSrDZweap0ZUedhnLiq mCd5lkQyzTt3qiwwEKumdt3y4vVhVPq6x qIxSK98nZ v8VVt5GJArMUlM=

http://dl.verypdf.net/pwdremover.exe

http://www.ranchsendgift.com/r5lsKjtjAYK519rcgnHI6mZ 4ZWWf1_qBTSIcKbWQvBr5RhPnW3BxmhZZ6Al45pkreGSdHe vWZ3nyrUZfVDxG0TPoW0PYFhUgOUft65wuL2VWui9L83NYIUi LtgshWGq2u Bz6T2BSkvEIek5tNl9elZKXeEucWxuwvUSqWNLq9UbJaQhJS znbYPtnL9ZpFCc5lv5Enho7op5Pzr9HgMZTF23mw==-Gy8AAATyYrGpaS_vFgAccsD 7WJRoIkEE7klknS4b8z4O StzolX3ocWBw==

http://www.lo4d.com/get-file/pdf-password-remover/.../

http://www.globalpdf.com/.../pwdremover.exe

http://pdf-password-remover.en.softonic.com/download-tracker?th=1/6CH9aeXedl4L8u BHNJXWTW LP1LFlnGQpxqjlxAMoF3ivMrAkL/.../vQBYG7yjBSrDZweap0ZUedhnLiq mCd5lkQyzTt3qiwwEKumdt3y4vVhVPq6x qIxSK98nZ v8VVt5GJArMUlM=

http://www.verypdf.com/.../pwdremover.exe

http://pdf-password-remover.softonic.com/download-tracker?th=8yS3 KGEYLiw7GKMHzA/trmsvRChbxdrflJq3ZIylWsIxV3iUas2/qzfoP6RVf8l5KxJYC7OSe14dy5rpeSRY3IN2bo9569UoIm6ypOsZMeh7Dx tAPJOiRnRPx0/yZ/.../Q34=

Remove pwdremover.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.