YAPA: Analysis of DailyFIle PDF App



In this series of YAPA (Yet Another PDF Application), I continue to document newly observed suspicious PDF converter applications. The latest one is DailyFile, which can be found on dailytapp[.]com. 

Dailytapp Download Page




The above image shows the a similar style to many other observed malicious pdf, document, and zip converter applications.

Analysis:

The analysis of this started by pivoting off of other known indicators, primarily the certificate signer: "Astras Novei LTD" which had also been observed with a malicious python based converter Ziply

Additionally, "A1A Marketing Ltd." had been previously observed with other YAPA sites like pdf-star[.]com and powerdocapp[.]com. We also see "Sherlock Tech Ltd" which points to other YAPA samples as well.

Ads Transparency for dailytapp


This is a .NET application, which makes it easy to load and observe in DnSpy. The YAPA here performs similar functions as previously observed instances. We can see simple obfuscation of "Google and Chrome", we can see infrastructure (Domains/URIs), and we can see a hard coded XOR key intended to obscure network communications.

Obfuscated .NET code


Hard-Coded XOR key



Some new hunting finds based on advertiser and signature pivots include ZipSphere, PDFShark, FreePDFApp, and PDFDoc.

Indicators of Compromise (IOCs)

Type Indicator Description
Domain api.dailytapp.com Primary API endpoint used by the installer for validation, configuration retrieval, and telemetry reporting.
Domain init.dailytapp.com Secondary server used for browser synchronization operations including profile upload and modification.
URI /ValidateDailyFile Validation endpoint contacted during installation to register the client.
URI /CheckEndpoint Returns server-controlled content displayed in the installer interface.
URI /Reporter Telemetry endpoint receiving system information and installation status.
URI /InitDaily Initial configuration endpoint used to retrieve browser synchronization instructions.
URI /Check Endpoint used to upload Chrome profile data and retrieve modified configuration files.
URI /FeReport Reporting endpoint used to log synchronization results.
URI /TaReport Additional telemetry endpoint reporting browser manipulation outcomes.
File Path %LOCALAPPDATA%\DailyFile\DailyFileApp.exe Main application dropped by the installer.
File Path %LOCALAPPDATA%\DailyFile\DailyFileUninstall.exe Uninstall component installed alongside the application.
File Path %LOCALAPPDATA%\DailyFile\PdfSharp.dll Bundled PDF library used to support the application's legitimacy.
File Path %LOCALAPPDATA%\DailyFile\Spire.Doc.dll Bundled document processing library.
File Path %LOCALAPPDATA%\DailyFile\Spire.Pdf.dll Bundled PDF processing library.
Registry Key HKCU\SOFTWARE\DailyFile\UserId Stores a unique identifier generated for each infected user.
Registry Key HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid System identifier used for machine fingerprinting.
Process Target chrome.exe Google Chrome process terminated prior to browser profile manipulation.
Obfuscation Key R8Qx2mL7WkP9N4Yt-A5639182047 XOR key used for Base64 string obfuscation within the malware.
Technique Character Shift Obfuscation Strings such as “Google”, “Chrome”, and “chrome.exe” are stored with each character incremented by +1 and decoded at runtime.

Comments

Post a Comment

Popular posts from this blog

Beware of Fake 7zip Installer: upStage Proxy

Image
Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy (proxyware). I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article. The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org . *Update February 10, 2026: At this time the download link is now pointing to the official 7-zip.org download. The installer is signed by (now revoked) certificate:  "JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer.  This version of 7zfm.exe differs from the official build in an important way, it has embedded within it 3 files ( upHreo.exe , hero.exe , and hero.dll ).  Analysis of this has been interesting, the main payloads are Go com...
Read more

TamperedChef: Suspicious Recipe App is really Malware

Image
Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get interesting. When we start looking at main.js, all the while running Fiddler, we  observe a lot of suspicious code and activity.  The main.j...
Read more

EvilAI: Fake Online Speedtest Application

Image
Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...
Read more