YAPA: Now using WIX to further evade detection
YAPA (Yet Another PDF Application), EvilaAI, MediaArena, or whatever you want to call these, are continuously trying new tactics/techniques to evade detection. In this latest YAPA, I look at PDFizer, which uses Wix MSI installer to assist with making detection more difficult. I first posted a similar file, FlyPDFy on this X post PDFizer: MD5: 5843ff0c676bcf99039b2b46035fdf8e Signer: Shappi Corp Download: https://pdf-izer[.]com/ SandBox Run : File Extraction: Since this is a Wix installer, we can use Dark.exe to extract the MSI Then we can use a tool like less-msi to further extract all the remaining files: PDFCoreLibrary.dll (.NET) PDFizer.exe (.NET) PDFRefresh.exe (GO) It does appear that the .NET files are benign. However the MSI does create a scheduled task to run the PDFRefresh hourly. Interesting parts of the .NET: MessageBox.Show("Hello, I am just an ugly Test Update ...") public string GetHelloWorld() {return "Hel...