YAPA: Now using WIX to further evade detection



YAPA (Yet Another PDF Application), EvilaAI, MediaArena, or whatever you want to call these, are continuously trying new tactics/techniques to evade detection. In this latest YAPA, I look at PDFizer, which uses Wix MSI installer to assist with making detection more difficult. I first posted a similar file, FlyPDFy  on this X post 

PDFizer:
MD5: 5843ff0c676bcf99039b2b46035fdf8e
Signer: Shappi Corp
Download: https://pdf-izer[.]com/
SandBox Run:

File Extraction:
Since this is a Wix installer, we can use Dark.exe to extract the MSI


Then we can use a tool like less-msi to further extract all the remaining files:


PDFizer.exe (.NET)

It does appear that the .NET files are benign. However the MSI does create a scheduled task to run the PDFRefresh hourly.

Interesting parts of the .NET:
  • MessageBox.Show("Hello, I am just an ugly Test Update ...")
  • public string GetHelloWorld() {return "Hello World from DLL!";

  • The .csproj references PDFCoreLibrary.dll from a path containing:...extract\SourceDir\FlyPDFy\PDFCoreLibrary.dll (File relation)

Interesting parts of the GO binary:
  • upd/controller.launchInstallerAndWait
  • upd/controller.installNewVersion
  • upd/filemanager.DownloadFile
  • upd/filemanager.DownloadFileToDestination
  • installer_started
  • installer_succeeded
  • installer_failed
  • installer_download_failed
  • config_download_failed
  • version.json
  • https://datapdfizer.com/pdf-izer.txt
  • SELECT UUID FROM Win32_ComputerSystemProduct (when stepping through debugger)
  • User-Agent: pdf-izer/1.0.0/58fd816b7ad878d55cfee2baf57ba785501403be (version number, followed by UUID SHA1 hash.)

    • Visiting the .txt
    ;aiu; [Update] Name = URL = Size = 0 Version = AdditionaaplAttributes=


    Observations:
    At this time, in the sandbox and on my VM, I do not see anything which occurs after the PDFRefresh check. I see a quick connection to datapdfizer[.]com where it appears to check the version.json file against the site. 

    I did attempt to change the version.json file to read a different version, but as I was stepping through the debugger, I did notice that some system finger-printing seems to occur, it's likely that this may be used to evade analysis. I did change my UUID, but there may be other checks I missed if that's the case.


    Likely UUID fingerprint

    version.json version number (RAX)

    UPDATE:

    After modifying my HOOKs and local HTTPS server for this, I had it send a dummy payload to see what the program would do if successful. I added datapdfizer[.]com to localhost, and ran my scripts.

    I used Frida in Python to hook what I needed, and used a separate scripts to act as a local webserver. Here is what it tries to do if successful: 

    [createfile] {'kind': 'createfile', 'path': 'C:\\Users\\user\\AppData\\Local\\Temp\\pdf-izer-2485702330\\installer1776428545553117800.exe'}

    [createprocess] {'kind': 'createprocess', 'application': 'C:\\Users\\user\\AppData\\Local\\Temp\\pdf-izer-2485702330\\installer1776428545553117800.exe',
    'commandline': 'C:\\Users\\user\\AppData\\Local\\Temp\\pdf-izer-2485702330\\installer1776428545553117800.exe /quiet'}


    It attempts to run this quietly from temp. Of course my payload is just a fake payload and didn't run. 

    UPDATE 2:
    Found related sample "NumberMergeGame" signed by :"Muhammad Awais LLC"

    After Wix extract, MSI extractor has the version.json and the datasync.exe which is very similar to the PDFRefresh.exe. 



    Another game related sample is SnakeGame, which, as with the PDF tools and NumberMerge, drops the expected application for the user, but also has an updater/Refresh which is the actual suspicious part. In this case is is SnakeGameRefresh.exe.

    Comments

    Post a Comment

    Popular posts from this blog

    Beware of Fake 7zip Installer: upStage Proxy

    Image
    Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy (proxyware). I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article. The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org . *Update February 10, 2026: At this time the download link is now pointing to the official 7-zip.org download. The installer is signed by (now revoked) certificate:  "JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer.  This version of 7zfm.exe differs from the official build in an important way, it has embedded within it 3 files ( upHreo.exe , hero.exe , and hero.dll ).  Analysis of this has been interesting, the main payloads are Go com...
    Read more

    TamperedChef: Suspicious Recipe App is really Malware

    Image
    Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get interesting. When we start looking at main.js, all the while running Fiddler, we  observe a lot of suspicious code and activity.  The main.j...
    Read more

    EvilAI: Fake Online Speedtest Application

    Image
    Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...
    Read more