home

pdfreadersetup.exe

IronSource Ltd

The application pdfreadersetup.exe by IronSource has been detected as a potentially unwanted program by 6 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from soft.foxtab.com.
Publisher:
IronSource Ltd  (signed and verified)

MD5:
3df0c41f0bbe81b014d50199068d184f

SHA-1:
e57c004d4fd85d96c581714b33e576a2aba11b8c

SHA-256:
2b310f772b5545e341ce706a8de18d01b6fae8c657094e55fde11edbc1f284c3

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
4/19/2024 4:01:02 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:InstallCore-HF [PUP]
160214-1

AVG
Adware InstallCore.ZX
2015.0.4522

Dr.Web
Adware.Downware.294
9.0.1.05190

ESET NOD32
Win32/InstallCore.BH potentially unwanted application
7.0.302.0

F-Prot
W32/InstallCore.F_2.gen
4.6.5.141

Reason Heuristics
PUP.ironSource.Installer (M)
16.2.16.8

File size:
587.9 KB (601,992 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\pdfreadersetup.exe

Digital Signature
Signed by:
IronSource Ltd

Authority:
COMODO CA Limited

Valid from:
11/8/2011 12:00:00 AM

Valid to:
11/7/2012 11:59:59 PM

Subject:
CN=IronSource Ltd, O=IronSource Ltd, STREET=Namal 36 suit 1, L=Tel Aviv-Yafo, S=IL, PostalCode=68033, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008E236034501AEA96AE96F0B0FD227271

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:I9ghsoCF6PEloRCE5Zrv0acuOD5ZZJx+t7RdY7WlI/GIgpf:IACnloRCE5ZDSdZH0DY7W+/Gtpf

Entry address:
0x119620

Entry point:
60, BE, 00, F0, 48, 00, 8D, BE, 00, 20, F7, FF, C7, 87, 10, B7, 0C, 00, B0, F3, B2, D7, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
556 KB (569,344 bytes)

The file pdfreadersetup.exe has been seen being distributed by the following URL.

http://soft.foxtab.com/pdf-reader/gb/.../?dl=1

Remove pdfreadersetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.