home

pdftoword_setup.exe

Rspark LLC

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application pdftoword_setup.exe by Rspark has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs.
Publisher:
Rspark LLC  (signed and verified)

MD5:
170d217ee9b4528d2ed024fdc34d41ec

SHA-1:
4f42c6b925ef53000a72b6990ddd967d3df879c0

SHA-256:
eda791c13f912f59a5dfaf1b04e00e983a1dd3bf1861ff1883110758a40b5e73

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
5/10/2024 5:02:45 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

Avira AntiVirus
APPL/Downloader.Gen
7.11.169.150

AVG
Generic
2015.0.3367

Dr.Web
Trojan.Packed.28499
9.0.1.0241

ESET NOD32
Win32/OutBrowse.AI (variant)
8.10324

Malwarebytes
PUP.Optional.Outbrowse
v2014.08.29.06

McAfee
Artemis!170D217EE9B4
5600.7023

Reason Heuristics
PUP.Installer.Rspark.P
14.8.29.18

Sophos
OutBrowse
4.98

Trend Micro House Call
Suspicious_GEN.F47V0815
7.2.241

VIPRE Antivirus
OutBrowse
32594

File size:
619.8 KB (634,712 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\pdftoword_setup.exe

Digital Signature
Signed by:
Rspark LLC

Authority:
COMODO CA Limited

Valid from:
2/11/2014 7:00:00 PM

Valid to:
2/12/2015 6:59:59 PM

Subject:
CN=Rspark LLC, O=Rspark LLC, STREET="2929 1st ave #405", L=Seattle, S=Washington, PostalCode=98121, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00E4DA7826149424E5DF9F3646FF2E80B9

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:vTb8jNw+nH/+jclz7FUYs7846vMb9Fe7brjhdQViAIMagxQzBwWgfc8vy4hs:vTbsdFUYs78Hkr+bvhphMCzBwA86b

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9806

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file pdftoword_setup.exe has been seen being distributed by the following URL.

http://software-files-a.cnet.com/s/software/13/80/83/.../pdftoword_setup.exe

Remove pdftoword_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.