merlhir.gq Open in urlscan Pro
162.241.125.10 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
https://hazeclaw.gq/#dirk.woelfel%40koenig-kg.com
Effective URL:
https://merlhir.gq/LRW18Z4g7pxO5rhubmB3tfY9aeqwGFQIKlEkAD2MoisXSncNJjHPTUy6vVCzcKWAZ6lf3pT78oLwuqRNItmjaC15BSYhUDXJ...
Submission Tags: falconsandbox
Submission: On March 18 via api (March 18th 2022, 1:22:49 pm UTC) from US — Scanned from DE

Summary HTTP 12 Redirects Behaviour Indicators

Summary

This website contacted 5 IPs in 2 countries across 6 domains to perform 12 HTTP transactions. The main IP is 162.241.125.10, located in United States and belongs to UNIFIEDLAYER-AS-1, US. The main domain is merlhir.gq.
TLS certificate: Issued by R3 on March 14th 2022. Valid for: 3 months.

This is the only time merlhir.gq was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: OneDrive (Online) Sharepoint (Online)

Domain & IP information

	IP Address	AS Autonomous System
7	162.241.125.10 162.241.125.10	46606 (UNIFIEDLA...) (UNIFIEDLAYER-AS-1)
2	2a00:1450:400... 2a00:1450:4001:830::200a	15169 (GOOGLE) (GOOGLE)
1	2606:2800:233... 2606:2800:233:1cb7:261b:1f9c:2074:3c	15133 (EDGECAST) (EDGECAST)
1	2620:0:862:ed... 2620:0:862:ed1a::2:b	14907 (WIKIMEDIA) (WIKIMEDIA)
1	2a00:1450:400... 2a00:1450:4001:82f::200e	15169 (GOOGLE) (GOOGLE)
12	5

7 162.241.125.10 (United States)

ASN46606 (UNIFIEDLAYER-AS-1, US)
PTR: 162-241-125-10.unifiedlayer.com

hazeclaw.gq	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
merlhir.gq	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a00:1450:4001:830::200a (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

fonts.googleapis.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2606:2800:233:1cb7:261b:1f9c:2074:3c (United States)

ASN15133 (EDGECAST, US)

aeocdn.azureedge.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2620:0:862:ed1a::2:b (United States)

ASN14907 (WIKIMEDIA, US)

upload.wikimedia.org	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:82f::200e (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

encrypted-tbn0.gstatic.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
5	hazeclaw.gq hazeclaw.gq	178 KB
2	googleapis.com fonts.googleapis.com — Cisco Umbrella Rank: 35	2 KB
2	merlhir.gq merlhir.gq	21 KB
1	gstatic.com encrypted-tbn0.gstatic.com	5 KB
1	wikimedia.org upload.wikimedia.org — Cisco Umbrella Rank: 1903	22 KB
1	azureedge.net aeocdn.azureedge.net — Cisco Umbrella Rank: 170502	5 KB
12	6

	Domain	Requested by
5	hazeclaw.gq	hazeclaw.gq
2	fonts.googleapis.com	merlhir.gq
2	merlhir.gq	merlhir.gq
1	encrypted-tbn0.gstatic.com	merlhir.gq
1	upload.wikimedia.org	merlhir.gq
1	aeocdn.azureedge.net	merlhir.gq
12	6

This site contains no links.

Subject Issuer	Validity	Valid
www.hazeclaw.gq R3	`2022-03-16` - `2022-06-14`	3 months	crt.sh
merlhir.gq R3	`2022-03-14` - `2022-06-12`	3 months	crt.sh
upload.video.google.com GTS CA 1C3	`2022-02-28` - `2022-05-23`	3 months	crt.sh
sni226begl.wpc.edgecastcdn.net DigiCert TLS RSA SHA256 2020 CA1	`2021-08-26` - `2022-09-26`	a year	crt.sh
*.wikipedia.org DigiCert TLS Hybrid ECC SHA384 2020 CA1	`2021-10-19` - `2022-11-17`	a year	crt.sh
*.gstatic.com GTS CA 1C3	`2022-02-28` - `2022-05-23`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://merlhir.gq/LRW18Z4g7pxO5rhubmB3tfY9aeqwGFQIKlEkAD2MoisXSncNJjHPTUy6vVCzcKWAZ6lf3pT78oLwuqRNItmjaC15BSYhUDXJ2QbP0enVrHF9Mks4EiGzxyvg20qFs3gCIwGKaDrWAZ4hS7Oc5oNmntzxQLyY9lbuUXBe8pEkMVPj6TRHiJfv/xLe9FrkUCfwuoS6VB24EqOGnsPl0Qbg8vAZDmayjJT1WtcRHNY7izhMK5IpX.php
Frame ID: 9DC4E12FCD779A178889E627108BF7CE
Requests: 12 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

FileShare - Authentication

Page URL History Show full URLs

https://hazeclaw.gq/ Page URL
https://hazeclaw.gq/w9pCamesrh26MSLU3A1PoTnfu8tWk7RHFIGjJBDQNx4ZEliyzgVbY5qOvcK0M8F0NDhxTbavoQfI... Page URL
https://merlhir.gq/aGF6ZWNsYXcuZ3E=/dirk.woelfel@koenig-kg.com Page URL
https://merlhir.gq/LRW18Z4g7pxO5rhubmB3tfY9aeqwGFQIKlEkAD2MoisXSncNJjHPTUy6vVCzcKWAZ6lf3pT78oLw... Page URL

Detected technologies

PHP (Programming Languages) Expand

Overall confidence: 100%
Detected patterns

\.php(?:$|\?)

Google Font API (Font Scripts) Expand

Overall confidence: 100%
Detected patterns

<link[^>]* href=[^>]+fonts\.(?:googleapis|google)\.com

jQuery (JavaScript Libraries) Expand

Overall confidence: 100%
Detected patterns

jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?

Page Statistics

12
Requests

100 %
HTTPS

80 %
IPv6

6
Domains

6
Subdomains

5
IPs

2
Countries

232 kB
Transfer

229 kB
Size

2
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://hazeclaw.gq/ Page URL
https://hazeclaw.gq/w9pCamesrh26MSLU3A1PoTnfu8tWk7RHFIGjJBDQNx4ZEliyzgVbY5qOvcK0M8F0NDhxTbavoQfIlYHt7j4Xq1UAzeERnLmcwCsZirSO5K3Py2uJpg9WV6kG?9sjUvultoOgyFLN62fIY3zWACbZMVxHa4SRpJQDTGEkcm1wiB0h8Xn7PKrqewUfIGajJvRyxTMo5KH6gY7D13i82ClQZnNsctEzObFk9hmpeV4qSLPWu0rBX2cqz0RKD1ThCYeOWoI4S3Hlr58tap6nixmZBAM7EfQbFNyVjgusU9kwvPXGJ%20=%27%20+%20dirk.woelfel@koenig-kg.com Page URL
https://merlhir.gq/aGF6ZWNsYXcuZ3E=/dirk.woelfel@koenig-kg.com Page URL
https://merlhir.gq/LRW18Z4g7pxO5rhubmB3tfY9aeqwGFQIKlEkAD2MoisXSncNJjHPTUy6vVCzcKWAZ6lf3pT78oLwuqRNItmjaC15BSYhUDXJ2QbP0enVrHF9Mks4EiGzxyvg20qFs3gCIwGKaDrWAZ4hS7Oc5oNmntzxQLyY9lbuUXBe8pEkMVPj6TRHiJfv/xLe9FrkUCfwuoS6VB24EqOGnsPl0Qbg8vAZDmayjJT1WtcRHNY7izhMK5IpX.php Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

12 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H/1.1 200
OK / Show response
hazeclaw.gq/ 705 B
1 KB 1019ms
737ms Document
text/html 162.241.125.10
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://hazeclaw.gq/
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 162.241.125.10 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: 162-241-125-10.unifiedlayer.com
Software: Apache /
Resource Hash: 43e33d31dbacc4ec29179593241aac85f53cf4b817dfd62e81b8d8e60317b9c8

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept-Language: de-DE,de;q=0.9

Response headers

Date: Fri, 18 Mar 2022 13:22:43 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

GET
H/1.1 200
OK jquery.js Show response
hazeclaw.gq/ 87 KB
88 KB 127ms
127ms Script
application/javascript 162.241.125.10
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://hazeclaw.gq/jquery.js
Requested by: Host: hazeclaw.gq
URL: https://hazeclaw.gq/
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 162.241.125.10 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: 162-241-125-10.unifiedlayer.com
Software: Apache /
Resource Hash: 6150a35c0f486c46cadf0e230e2aa159c7c23ecfbb5611b64ee3f25fcbff341f

Request headers

Accept-Language: de-DE,de;q=0.9
Referer: https://hazeclaw.gq/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

Response headers

Date: Fri, 18 Mar 2022 13:22:44 GMT
Last-Modified: Tue, 08 Feb 2022 13:08:16 GMT
Server: Apache
Content-Type: application/javascript
Connection: Keep-Alive
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=99
Content-Length: 89475

POST
H/1.1 200
OK fragment.php
hazeclaw.gq/ 26 B
342 B 128ms
128ms XHR
text/html 162.241.125.10
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://hazeclaw.gq/fragment.php
Requested by: Host: hazeclaw.gq
URL: https://hazeclaw.gq/jquery.js
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 162.241.125.10 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: 162-241-125-10.unifiedlayer.com
Software: Apache /
Resource Hash

Request headers

Accept: */*
Referer: https://hazeclaw.gq/
X-Requested-With: XMLHttpRequest
Accept-Language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Response headers

Pragma: no-cache
Date: Fri, 18 Mar 2022 13:22:45 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Keep-Alive: timeout=5, max=98
Expires: Thu, 19 Nov 1981 08:52:00 GMT

GET
H/1.1 200
OK w9pCamesrh26MSLU3A1PoTnfu8tWk7RHFIGjJBDQNx4ZEliyzgVbY5qOvcK0M8F0NDhxTbavoQfIlYHt7j4Xq1UAzeERnLmcwCsZirSO5K3Py2uJpg9WV6kG Show response
hazeclaw.gq/ 787 B
1 KB 681ms
681ms Document
text/html 162.241.125.10
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://hazeclaw.gq/w9pCamesrh26MSLU3A1PoTnfu8tWk7RHFIGjJBDQNx4ZEliyzgVbY5qOvcK0M8F0NDhxTbavoQfIlYHt7j4Xq1UAzeERnLmcwCsZirSO5K3Py2uJpg9WV6kG?9sjUvultoOgyFLN62fIY3zWACbZMVxHa4SRpJQDTGEkcm1wiB0h8Xn7PKrqewUfIGajJvRyxTMo5KH6gY7D13i82ClQZnNsctEzObFk9hmpeV4qSLPWu0rBX2cqz0RKD1ThCYeOWoI4S3Hlr58tap6nixmZBAM7EfQbFNyVjgusU9kwvPXGJ%20=%27%20+%20dirk.woelfel@koenig-kg.com
Requested by: Host: hazeclaw.gq
URL: https://hazeclaw.gq/
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 162.241.125.10 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: 162-241-125-10.unifiedlayer.com
Software: Apache /
Resource Hash: 7314c0538176615f2bf522ddec90fda8b940ccd4355b2e0701c035fb26efbb8b

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept-Language: de-DE,de;q=0.9
Referer: https://hazeclaw.gq/

Response headers

Date: Fri, 18 Mar 2022 13:22:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

GET
H/1.1 200
OK jquery.js
hazeclaw.gq/ 87 KB
88 KB 128ms
127ms Script
application/javascript 162.241.125.10
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://hazeclaw.gq/jquery.js
Requested by: Host: hazeclaw.gq
URL: https://hazeclaw.gq/w9pCamesrh26MSLU3A1PoTnfu8tWk7RHFIGjJBDQNx4ZEliyzgVbY5qOvcK0M8F0NDhxTbavoQfIlYHt7j4Xq1UAzeERnLmcwCsZirSO5K3Py2uJpg9WV6kG?9sjUvultoOgyFLN62fIY3zWACbZMVxHa4SRpJQDTGEkcm1wiB0h8Xn7PKrqewUfIGajJvRyxTMo5KH6gY7D13i82ClQZnNsctEzObFk9hmpeV4qSLPWu0rBX2cqz0RKD1ThCYeOWoI4S3Hlr58tap6nixmZBAM7EfQbFNyVjgusU9kwvPXGJ%20=%27%20+%20dirk.woelfel@koenig-kg.com
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 162.241.125.10 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: 162-241-125-10.unifiedlayer.com
Software: Apache /
Resource Hash

Request headers

Accept-Language: de-DE,de;q=0.9
Referer: https://hazeclaw.gq/w9pCamesrh26MSLU3A1PoTnfu8tWk7RHFIGjJBDQNx4ZEliyzgVbY5qOvcK0M8F0NDhxTbavoQfIlYHt7j4Xq1UAzeERnLmcwCsZirSO5K3Py2uJpg9WV6kG?9sjUvultoOgyFLN62fIY3zWACbZMVxHa4SRpJQDTGEkcm1wiB0h8Xn7PKrqewUfIGajJvRyxTMo5KH6gY7D13i82ClQZnNsctEzObFk9hmpeV4qSLPWu0rBX2cqz0RKD1ThCYeOWoI4S3Hlr58tap6nixmZBAM7EfQbFNyVjgusU9kwvPXGJ%20=%27%20+%20dirk.woelfel@koenig-kg.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

Response headers

Date: Fri, 18 Mar 2022 13:22:45 GMT
Last-Modified: Tue, 08 Feb 2022 13:08:16 GMT
Server: Apache
Content-Type: application/javascript
Connection: Keep-Alive
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=96
Content-Length: 89475

GET
H/1.1 200
OK dirk.woelfel@koenig-kg.com
merlhir.gq/aGF6ZWNsYXcuZ3E=/ 289 B
671 B 1034ms
692ms Document
text/html 162.241.125.10
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://merlhir.gq/aGF6ZWNsYXcuZ3E=/dirk.woelfel@koenig-kg.com
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 162.241.125.10 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: 162-241-125-10.unifiedlayer.com
Software: Apache /
Resource Hash

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept-Language: de-DE,de;q=0.9
Referer: https://hazeclaw.gq/

Response headers

Date: Fri, 18 Mar 2022 13:22:46 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

GET
H/1.1 200
OK Primary Request xLe9FrkUCfwuoS6VB24EqOGnsPl0Qbg8vAZDmayjJT1WtcRHNY7izhMK5IpX.php Show response
merlhir.gq/LRW18Z4g7pxO5rhubmB3tfY9aeqwGFQIKlEkAD2MoisXSncNJjHPTUy6vVCzcKWAZ6lf3pT78oLwuqRNItmjaC15BSYhUDXJ2QbP0enVrHF9Mks4EiGzxyvg20qFs3gCIwGKaDrWAZ4hS7Oc5oNmntzxQLyY9lbuUXBe8pEkMVPj6TRHiJfv/ 20 KB
20 KB 129ms
129ms Document
text/html 162.241.125.10
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://merlhir.gq/LRW18Z4g7pxO5rhubmB3tfY9aeqwGFQIKlEkAD2MoisXSncNJjHPTUy6vVCzcKWAZ6lf3pT78oLwuqRNItmjaC15BSYhUDXJ2QbP0enVrHF9Mks4EiGzxyvg20qFs3gCIwGKaDrWAZ4hS7Oc5oNmntzxQLyY9lbuUXBe8pEkMVPj6TRHiJfv/xLe9FrkUCfwuoS6VB24EqOGnsPl0Qbg8vAZDmayjJT1WtcRHNY7izhMK5IpX.php
Requested by: Host: merlhir.gq
URL: https://merlhir.gq/aGF6ZWNsYXcuZ3E=/dirk.woelfel@koenig-kg.com
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 162.241.125.10 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: 162-241-125-10.unifiedlayer.com
Software: Apache /
Resource Hash: ced94ecd5b4f4dca430264b1118d3697a1c317117f700bf01274751da9c3dd44

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept-Language: de-DE,de;q=0.9
Referer: https://merlhir.gq/aGF6ZWNsYXcuZ3E=/dirk.woelfel@koenig-kg.com

Response headers

Date: Fri, 18 Mar 2022 13:22:47 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

GET
H2 200 css
fonts.googleapis.com/ 3 KB
1 KB 141ms
49ms Stylesheet
text/css 2a00:1450:4001:830::200a
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.googleapis.com/css?family=Open+Sans:600

Requested by

Host: merlhir.gq
URL: https://merlhir.gq/LRW18Z4g7pxO5rhubmB3tfY9aeqwGFQIKlEkAD2MoisXSncNJjHPTUy6vVCzcKWAZ6lf3pT78oLwuqRNItmjaC15BSYhUDXJ2QbP0enVrHF9Mks4EiGzxyvg20qFs3gCIwGKaDrWAZ4hS7Oc5oNmntzxQLyY9lbuUXBe8pEkMVPj6TRHiJfv/xLe9FrkUCfwuoS6VB24EqOGnsPl0Qbg8vAZDmayjJT1WtcRHNY7izhMK5IpX.php

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:830::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

ESF /

Resource Hash

4d9f4f598117d5f4f4755691e9a6b4e4094f6563cafab7bd0122f63c5862d25e

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Accept-Language: de-DE,de;q=0.9
Referer: https://merlhir.gq/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

Response headers

strict-transport-security: max-age=31536000
content-encoding: gzip
x-content-type-options: nosniff
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
x-xss-protection: 0
last-modified: Fri, 18 Mar 2022 11:45:15 GMT
server: ESF
cross-origin-opener-policy: same-origin-allow-popups
date: Fri, 18 Mar 2022 13:22:48 GMT
x-frame-options: SAMEORIGIN
content-type: text/css; charset=utf-8
access-control-allow-origin: *
cache-control: private, max-age=86400, stale-while-revalidate=604800
timing-allow-origin: *
link: <https://fonts.gstatic.com>; rel=preconnect; crossorigin
expires: Fri, 18 Mar 2022 13:22:48 GMT

GET
H2 200 css
fonts.googleapis.com/ 0
701 B 147ms
55ms Other
text/css 2a00:1450:4001:830::200a
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.googleapis.com/css?family=Open+Sans:600

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:830::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

ESF /

Resource Hash

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Accept-Language: de-DE,de;q=0.9
Referer: https://merlhir.gq/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

Response headers

strict-transport-security: max-age=31536000
content-encoding: gzip
x-content-type-options: nosniff
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
x-xss-protection: 0
last-modified: Fri, 18 Mar 2022 11:38:45 GMT
server: ESF
cross-origin-opener-policy: same-origin-allow-popups
date: Fri, 18 Mar 2022 13:22:48 GMT
x-frame-options: SAMEORIGIN
content-type: text/css; charset=utf-8
access-control-allow-origin: *
cache-control: private, max-age=86400, stale-while-revalidate=604800
timing-allow-origin: *
link: <https://fonts.gstatic.com>; rel=preconnect; crossorigin
expires: Fri, 18 Mar 2022 13:22:48 GMT

GET
H2 200 microsoft-2x.png
aeocdn.azureedge.net/mediahandler/azure-emails-templates/production/shared/images/templates/shared/ 4 KB
5 KB 76ms
7ms Image
image/png 2606:2800:233:1cb7:261b:1f9c:2074:3c
EDGECAST

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://aeocdn.azureedge.net/mediahandler/azure-emails-templates/production/shared/images/templates/shared/microsoft-2x.png

Requested by

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

2606:2800:233:1cb7:261b:1f9c:2074:3c , United States, ASN15133 (EDGECAST, US),

Reverse DNS

Software

ECAcc (frc/8F25) / ASP.NET

Resource Hash

6a773ecac620390429ac621a96b83062ae94447c46250000318efbf2e22acf68

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000
X-Content-Type-Options	nosniff

Request headers

Accept-Language: de-DE,de;q=0.9
Referer: https://merlhir.gq/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

Response headers

date: Fri, 18 Mar 2022 13:22:48 GMT
x-content-type-options: nosniff
age: 602135
x-powered-by: ASP.NET
x-cache: HIT
arr-disable-session-affinity: true
content-length: 4275
request-context: appId=cid-v1:06ff7d2d-f6f7-42f9-85c1-254dcf3e8e21
last-modified: Tue, 07 Dec 2021 01:06:13 GMT
server: ECAcc (frc/8F25)
etag: "0x8D9B91DC389C758"
strict-transport-security: max-age=31536000
content-type: image/png
access-control-expose-headers: Request-Context
cache-control: max-age=604800
accept-ranges: bytes
x-robots-tag: noindex
expires: Fri, 25 Mar 2022 13:22:48 GMT

GET
H2 200 488px-PDF_file_icon.svg.png
upload.wikimedia.org/wikipedia/commons/thumb/8/87/PDF_file_icon.svg/ 21 KB
22 KB 65ms
27ms Image
image/png 2620:0:862:ed1a::2:b
WIKIMEDIA

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://upload.wikimedia.org/wikipedia/commons/thumb/8/87/PDF_file_icon.svg/488px-PDF_file_icon.svg.png

Requested by

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

2620:0:862:ed1a::2:b , United States, ASN14907 (WIKIMEDIA, US),

Reverse DNS

Software

ATS/8.0.8 /

Resource Hash

fb8055f925b3516cb6c3727ada1d3d05acf2498a03bbf09d8fe132fd61262342

Security Headers

Name	Value
Strict-Transport-Security	max-age=106384710; includeSubDomains; preload

Request headers

Accept-Language: de-DE,de;q=0.9
Referer: https://merlhir.gq/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

Response headers

date: Thu, 17 Mar 2022 15:21:06 GMT
nel: { "report_to": "wm_nel", "max_age": 86400, "failure_fraction": 0.05, "success_fraction": 0.0}
age: 79301
x-cache-status: hit-front
x-cache: cp3051 hit, cp3055 hit/12
server-timing: cache;desc="hit-front", host;desc="cp3055"
content-length: 21582
x-client-ip: 2a03:1b20:6:f011::7e
last-modified: Thu, 11 Oct 2018 08:40:23 GMT
server: ATS/8.0.8
etag: 5a01e8b093e56a8e7b225a9e64ad8336
strict-transport-security: max-age=106384710; includeSubDomains; preload
report-to: { "group": "wm_nel", "max_age": 86400, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] }
content-type: image/png
access-control-allow-origin: *
x-timestamp: 1539247222.63681
permissions-policy: interest-cohort=()
accept-ranges: bytes
timing-allow-origin: *
access-control-expose-headers: Age, Date, Content-Length, Content-Range, X-Content-Duration, X-Cache

GET
H2 200 images
encrypted-tbn0.gstatic.com/ 5 KB
5 KB 139ms
47ms Image
image/png 2a00:1450:4001:82f::200e
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://encrypted-tbn0.gstatic.com/images?q=tbn%3AANd9GcTKSnU9Bdy27tHbmdBR8NP5B-lMNtRe8mAylQ&usqp=CAU

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:82f::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

sffe /

Resource Hash

bbbeba77cfb6c33c558b6fa85a4f959c2806a8953db86da5b47bb90d95c18f24

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Accept-Language: de-DE,de;q=0.9
Referer: https://merlhir.gq/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

Response headers

date: Fri, 18 Mar 2022 13:22:48 GMT
x-content-type-options: nosniff
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/images-tbn
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 4792
x-xss-protection: 0
last-modified: Tue, 08 Dec 2020 05:01:36 GMT
server: sffe
report-to: {"group":"images-tbn","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/images-tbn"}]}
content-type: image/png
access-control-allow-origin: *
cache-control: public, max-age=31536000
accept-ranges: bytes
cross-origin-opener-policy-report-only: same-origin; report-to="images-tbn"
expires: Sat, 18 Mar 2023 13:22:48 GMT

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: OneDrive (Online) Sharepoint (Online)

3 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

function| structuredClone object| oncontextlost object| oncontextrestored

2 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			hazeclaw.gq/	1969-12-31 23:59:59	Name: PHPSESSID Value: d7dee7a184081ae7ad9e387beb30e81b
			merlhir.gq/	1969-12-31 23:59:59	Name: PHPSESSID Value: a3cd8368c9b92b140962adf2a5c87b9d

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

aeocdn.azureedge.net
encrypted-tbn0.gstatic.com
fonts.googleapis.com
hazeclaw.gq
merlhir.gq
upload.wikimedia.org
162.241.125.10
2606:2800:233:1cb7:261b:1f9c:2074:3c
2620:0:862:ed1a::2:b
2a00:1450:4001:82f::200e
2a00:1450:4001:830::200a
43e33d31dbacc4ec29179593241aac85f53cf4b817dfd62e81b8d8e60317b9c8
4d9f4f598117d5f4f4755691e9a6b4e4094f6563cafab7bd0122f63c5862d25e
6150a35c0f486c46cadf0e230e2aa159c7c23ecfbb5611b64ee3f25fcbff341f
6a773ecac620390429ac621a96b83062ae94447c46250000318efbf2e22acf68
7314c0538176615f2bf522ddec90fda8b940ccd4355b2e0701c035fb26efbb8b
bbbeba77cfb6c33c558b6fa85a4f959c2806a8953db86da5b47bb90d95c18f24
ced94ecd5b4f4dca430264b1118d3697a1c317117f700bf01274751da9c3dd44
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
fb8055f925b3516cb6c3727ada1d3d05acf2498a03bbf09d8fe132fd61262342

merlhir.gq Open in urlscan Pro 162.241.125.10 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

12 Requests

100 %HTTPS

80 %IPv6

6 Domains

6 Subdomains

5 IPs

2 Countries

232 kBTransfer

229 kBSize

2 Cookies

0 Outgoing links

Page URL History

Redirected requests

12 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

3 JavaScript Global Variables

2 Cookies

Indicators

merlhir.gq Open in urlscan Pro
162.241.125.10 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

12
Requests

100 %
HTTPS

80 %
IPv6

6
Domains

6
Subdomains

5
IPs

2
Countries

232 kB
Transfer

229 kB
Size

2
Cookies

12 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!