pdfreader.exe

PDF Reader

Download Manager

This is part of the Air Installer, a download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application pdfreader.exe, “PDF Reader ” by Download Manager has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the AirInstaller Download Manager installer. The file has been seen being downloaded from files.downloadd.org.
Publisher:
Download Manager   (signed by Download Manager)

Product:
PDF Reader

Description:
PDF Reader

Version:
2.0.6.9

MD5:
71b529b567efc702120e7ad70cdc956e

SHA-1:
c3847a485c8c5133283f8a1cd08f634bc1928e95

SHA-256:
a8a17c8063f3c57ed831ff588e2a41082c13fd36ddc1a62c2c7836b88ffdac37

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/23/2024 10:52:53 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Air Software (M)
16.8.4.10

File size:
752.9 KB (770,992 bytes)

Product version:
2.0.6.9

Copyright:
(c) Download Manager

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
AirInstaller Download Manager

Language:
English (United States)

Common path:
C:\users\{user}\downloads\pdfreader.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
6/7/2013 8:00:00 PM

Valid to:
6/8/2014 7:59:59 PM

Subject:
CN=Download Manager, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Download Manager, L=Vancouver, S=British Columbia, C=CA

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
428E8B7C1AC548D083F4D3A0C5FDAF4C

File PE Metadata
Compilation timestamp:
5/6/2014 2:38:39 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:kpg3L0A+HAtT276Veri5TuA/tG3ctxxADeT6ynD1yrsj3pX8xSYHNeZZ:H3oAPS76Veri5R/tGgDbD1yrsbdiSYUr

Entry address:
0x25A418

Entry point:
60, E8, 00, 00, 00, 00, 58, 05, 5A, 0B, 00, 00, 8B, 30, 03, F0, 2B, C0, 8B, FE, 66, AD, C1, E0, 0C, 8B, C8, 50, AD, 2B, C8, 03, F1, 8B, C8, 57, 51, 49, 8A, 44, 39, 06, 88, 04, 31, 75, F6, 2B, C0, AC, 8B, C8, 80, E1, F0, 24, 0F, C1, E1, 0C, 8A, E8, AC, 0B, C8, 51, 02, CD, BD, 00, FD, FF, FF, D3, E5, 59, 58, 8B, DC, 8D, A4, 6C, 90, F1, FF, FF, 51, 2B, C9, 51, 51, 8B, CC, 51, 66, 8B, 17, C1, E2, 0C, 52, 57, 83, C1, 04, 51, 50, 83, C1, 04, 56, 51, E8, 5E, 00, 00, 00, 8B, E3, 5E, 5A, 2B, C0, 89, 04, 32, B4, 10...
 
[+]

Entropy:
7.9354

Packer / compiler:
ASPack v1.08.04

Code size:
1.6 MB (1,722,880 bytes)

The file pdfreader.exe has been seen being distributed by the following URL.

Remove pdfreader.exe - Powered by Reason Core Security