YAPA: Now using WIX to further evade detection
Deep dive into YAPA malware using a new WiX installer technique, analyzing PDFRefresh, updater abuse, UUID fingerprinting, and stealth persistence. YAPA (Yet Another PDF Application), EvilaAI, MediaArena, or whatever you want to call these, are continuously trying new tactics/techniques to evade detection. In this latest YAPA, I look at PDFizer, which uses Wix MSI installer to assist with making detection more difficult. I first posted a similar file, FlyPDFy on this X post PDFizer: MD5: 5843ff0c676bcf99039b2b46035fdf8e Signer: Shappi Corp Download: https://pdf-izer[.]com/ SandBox Run : File Extraction: Since this is a Wix installer, we can use Dark.exe to extract the MSI Then we can use a tool like less-msi to further extract all the remaining files: PDFCoreLibrary.dll (.NET) PDFizer.exe (.NET) PDFRefresh.exe (GO) It does appear that the .NET files are benign. However the MSI does create a scheduled task to run the PDFRefresh...