Suspicious Productivity Pyinstaller Compiled Applications

Hello World. I have looked at a few interesting samples earlier this month that appear to fall into the same realm as many of the EvilAI PDF converters which have been reported last year.  The difference in this one is that instead of being inno packed, or an electron app, or a .NET application like some of the variations observed so far, this one is a python compiled application.

The initial application observed was "PDFly", which, after some pivoting on other information led to the discovery Ziply, as well as PDFClick, and Rapidoc. These findings were shared on my X post as well.

The challenge with these is that I am unable to use pyinstxtractor/pyinstxtractor-ng, there seems to be some level of customized pyinstaller magic here that I just don't know enough about. What I do know is that when running these applications they do drop an AppData\Local\Temp\_MEIXXXX directory, common with PyInstaller, and there is an embedded resource zip file with another EXE of the same name.

Additionally, when running Process Hacker, I can see in-memory strings that show another Python file, for PDFly this is app.py, loading from that AppData\Local\Temp\_MEI folder, however that file does not seem to actually drop onto disk, or it drops quickly and loads into memory and is gone before I see it. 

The good news is that it seems like some of the "custom" magic lies in some of this packing being done as zlib chunks. That can be extracted: Screenshot from Malcat:

The unpacked PDFly.exe is very similar, a bunch of zlib structures with one of them unpacking as what appears to be the app.py. 

I do have a AI-assisted Python script that grabs all the zlib structures and attempts to unpack and disassemble them, this automates the process I just showed with Malcat. (Judge me if you must, but AI wrote that Python script in much shorter time than I ever could have, and time is precious to me.)

I have a YARA rules also for detecting these types of python compiled applications.

PDFly Info

• Signed by Tropical RIiff Ltd
• Advertiser CANDY TECH LTD
• Download from gomeetpdfly.com
• Communicates to gomeetpdfly.llc and fetpfley
• Updater PDFly Updater
• Sandbox: app.any.run

Ziply Info

• Signed by Astras Novei LTD
• Advertiser ToGo Networks LTD
• Download from gotoziply.com
• Communicates to siportao.com and getastrasnovei.com
• Sandbox Hybrid-Analysis
• Unpacked: 543e9aaa45e11e7a6f86c80533c51bd4

Rapidoc Info

• Signed by Green Topaz LTD
• Advertiser Sherlock Tech Ltd
• Download from visitrapidoc.com
• Communicates to sharapik.com, uralbioc.com
• Sandbox app.any.run
• Updater: 1e9b503bce4cc68a96278972a1034af5

Update February 2, 2026

Thanks to @struppigel for putting together an extractor for this custom Python installer.

Based on this, I was able to extract the app.pyc as well as other files located within the custom PYZ archive.

With an understanding of which version the pyc files are built from, I can disassemble this code to make it fairly readable.

py -3.13 -c "import marshal,dis,sys,struct; p=sys.argv[1]; data=open(p,'rb').read(); header=data[:16]; code=marshal.loads(data[16:]); dis.dis(code)" .\app.pyc >> app.txt"

I can do the same thing with the config.pyc file, this one is the really interesting file.

The obfuscated paths are interesting, and appears to let the server side determine what to do next after client reports in.

• /IQhZK1Mz (V6)

• /kmQOwsC (CIL)

• /jASRz9 (S2S)

• /e8AcDC (updater)

• /fwhku82 (consent)

• UPDATER_NAME = "PDFlyUpdater"

• TASK_NAME = "UpdatePDFly"

Here is the PDFly Updater on VIrusTotal. I have not looked at this one in-depth, but it does appear to have downloader capabilities, and looks like it would be similar to other YAPA (Yet Another PDF Application)/EvilAI/TamperedChef style updater.