home

pdffactory_1502761752824523444gc.exe

Installer

The application pdffactory_1502761752824523444gc.exe by Installer has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from dw.cbsi.com.
Publisher:
Installer  (signed and verified)

MD5:
d2d1a1d0f350e71caf77fa2e44c8adc9

SHA-1:
665f3b8a0a704412eb8dbca8b06fe8a0e01c0931

SHA-256:
153ce9e0598de5637f81a7fc7093cf3c5b0349c773e164e9a98b4ea0b508423f

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
4/26/2024 6:46:03 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/Downloader.Gen
7.11.177.88

avast!
InstMonetizer-BB [PUP]
2014.9-150403

AVG
Downloader
2016.0.3151

Dr.Web
Adware.Downware.8742
9.0.1.05190

ESET NOD32
Win32/InstallMonetizer.AZ potentially unwanted application
9.7.0.302.0

herdProtect (fuzzy)
variant of minecraft_1502681408849575446433gc.exe (Adware)
2015.7.8.0

K7 AntiVirus
Trojan
13.202.15469

Reason Heuristics
PUP.Installer
15.4.3.9

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.15401

VIPRE Antivirus
Threat.4866784
33706

File size:
715.3 KB (732,496 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\pdffactory_1502761752824523444gc.exe

Digital Signature
Signed by:
Installer

Authority:
COMODO CA Limited

Valid from:
1/8/2014 6:00:00 PM

Valid to:
1/9/2015 5:59:59 PM

Subject:
CN=Installer, O=Installer, STREET=5655 Silver Creek Valley Road, L=San Jose, S=CA/Santa Clara, PostalCode=95138, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A38705F2C2D84829915877C84CAD2D2E

File PE Metadata
Compilation timestamp:
12/5/2009 4:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:nt0DJT7ZCipmVp1whyVq9t2KiNrncTajAIzTNeVuJd5A8gvVbJd5A8d:SKwhOq9mJcTajAI3gVuJd5A8gvVbJd5P

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9487

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file pdffactory_1502761752824523444gc.exe has been seen being distributed by the following URL.

http://dw.cbsi.com/redir?edId=3&tag=sem_dlnow&lop=google_sem&pid=13115929&mfgId=69440&merId=69440&ctype=dm;language&cval=CBSI;en&destUrl=http://onecall.installer.download.com/dl/download.php?bid=150&did=fivemill&cid=SEM-SEO2&aid=23444_6088377409_72130711&productid=23444&dest_url=http://.../3056-2092_4-23444.html&oid=3028-2092_4-23444&ontId=2092_4&siteId=4&pguid=af76aeb91bf8fca791df31a2

Remove pdffactory_1502761752824523444gc.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.