anyPDF decompilation - a highly evasive, fully undetected, signed PDF editor bundled with AdClicker Trojan and Spyware

VirusTotal analysis

initial VT scan

I came across this sample on VirusTotal and at first nothing at all seemed strange to me.

signature

The digital signature was valid, it is fully undetected as of writing this report but what stood out was the PureLogs infostealer family detection by a signature that we can see in comment by JaffaCakes118. It is rare that a specific infostealer signature would match a PDF editor so I got to investigating.

VT comments

LessMSI extraction

For this static analysis, we are going to be using a network isolated Windows 10 FlareVM. You can find FlareVM here.

The installer is an MSI and if you've read previous report about Unpacking a malicious EXE & Node DLL from multi-stage MSI loader, you might now know that we can use LessMSI to extract the MSI packages content.

lessmsi

We will extract it to our desktop and now we can inspect the files one by one. We got 2 folders - anyPDF and PdfOpenDriver:

folder inspection

Extracted folders analysis

All the executables returned no flags on VirusTotal as of writing this:

Filename	SHA256 Hash	VirusTotal
PdfOpenDriver.exe	`ea09fb40963340b212833e796f229ff52e80c66c4354fbe1107cecc07d3c988a`	Link
PdfOpenDriverUpdater.exe	`ad8322170e39cb1ace157e0bb0bbffd71cf7e11f602c29f273109acc7329b579`	Link
anyPDF.exe	`3e4c6a39e2302ee42a1d51ce6093d8325839581ff8b4ad77ce12d2e9326fc839`	Link
Downloader.exe	`614104efb1c80099594f09c788b9ea5e03b65fa0405d60863baaa4b9dae20935`	Link

Sigcheck (SysInternals) confirms the valid signature.

Sigcheck

DetectItEasy

Nothing we really did so far helped us in identifying the actual purposes of this software. It's time to open it in DetectItEasy. DIE is an awesome tool for malware analysis purposes to identify the filetype, packer, obfuscator

DIE

We can see the files are all protected by .NET Reactor:

Protector: .NET Reactor(6.X)[Anti-Tamper + Anti-ILDASM]

I tried to open it in dnSpy (a debugger and .NET assembly editor, GitHub) to demonstrate on how it would look when it is protected by .NET Reactor.

DIE

.NET Reactor Slayer

Did you get lost after reading the first few lines? No worries, same here. Good thing for us, we can reverse this protection by using an open-source tool called .NET Reactor Slayer (GitHub).

We will start with the PdfOpenDriver.exe file and then we will analyze all 4 of them. It is crucial we analyze them one by one as one of them may be legitimate and the rest malware or the other way around.

.NET Reactor Slayer

PdfOpenDriver.exe - dnSpy decompilation

After deobfuscating, it created a file called PdfOpenDriver_Slayed.exewhich should be way easier to analyze in dnSpy. Let's see if that's true!

.NET Reactor Slayer

Looks way better now, doesn't it? It seems like it got correctly decompiled. Now we can actually dig in the source code without anything preventing us from doing so.

I want you to pay attention to the methods first because already these alone tell us alot and primarily that this isn't a PDF editor.

Methods

Some interesting methods are the browser related ones - IsAppInstalledTwoWeeksAgo , OverrideBrowserCrashReport , AnalyseBrowserHistory , PdfTimerTask , OpenAdUrlInHiddenBrowser , OnWindowDetectedMethod , IsAppBeingRunByProUser , GetAutoUpdaterData.

Let's leave methods and go straight for the source code.

Mutex check

In the first few lines, we can see it sets a mutex. Mutex is an object that verifies only single instance of the executable runs. If you have 2 instances of same executable accessing the same resources, files and more, it is, of course, going to cause issues and that is why if it detects it's own mutex it shuts down the application.

Mutex check

The source code has over 1600 lines so I will be going over the most important and interesting parts of it as covering and commenting every part, method will take a very long time.

Updater

This code fragment reveals the instructions for updating the application. This ultimately opens the door for any piece of malware to be ran if whoever is behind this malware decides to ship it with the next update.

We see the hardcoded JsonUrl - https[:]//peedeef[.]com/openup/uptime/default, if we open it in our browser, it returns the content:

{
    "id": "j3uj4b5uv7djskkk2bhw",
    "info": {
        "number": "2.0.0.0",
        "way": "https[:]//peedeef[.]com/openup/uptime/new/pdfOpenDriver_2.0.0.0.zip"
    }
}

updater zip

The defanged URL contains the PdfOpenDriver.exe that we are currently analyzing and PdfOpenDriverUpdater.exe that is located in the same folder. Because we have the newest version, the downloaded ZIP file contains identical files to the ones we extracted from the MSI package.

Updater

Surprisingly enough, there is a check to see if it has been >14days since installation time. After 14 days, a check whether it is running in a virtual machine (IsAppRunningInVirtualMachine) and the IsAppBeingRunByProUserchecks whether it is being ran along with some malware analysis tools.

Analysis software check

Here we can see the malware analysis app checks. Some popular ones include:

dnSpy
Telerik
ILSpy
Postman

VMCheck

And here we can see the virtual machine checks. Seems pretty basic - blocks the most popular ones but does not look completely dependant on not executing on VM's.

DefaultBrowser

Here we can see mechanism to get the default browser set in Windows. We are slowly getting to the core of this executable.

I will now create a small list of methods and their code snippets that I found interesting and deserve to be mentioned in this report. After reading this list, you may figure out the intention:

OverrideBrowserCrashReport

Replaces content of prefs.js for Firefox, Preferences for Chrome/Edge to not display crash reports and then removes the folder with crash reports

OverrideBrowserCrashReport

AnalyseBrowserHistory

Copies browser history files to it's own database file and then runs SQL queries to filter URL addresses based on ad server C2

AnalyseBrowserHistory

OpenAdUrlInHiddenBrowser

Opens a hidden ad URL, every browser has a specific argument used to start as hidden as possible

OpenAdUrlInHiddenBrowser

OnWindowDetectedMethod

Method to catch the newly opened window and using SetWindowLong it hides it from the user - removes the option to Alt+Tab and makes it 100% transparent

OnWindowDetectedMethod

PdfTimerTask

Looks for any URL in history ending with .pdf every single second and then sends it to the C2, does not send duplicate PDF's

PdfTimerTask

CheckIfAnyAdUrlWasCalledTwice

Checks if any hidden ad was called twice; if the ad URL has more than 1 call in the history, it likely means the user is investigating the suspicious browser behavior, this ends up blocking the users device and malware immediately stops itself

CheckIfAnyAdUrlWasCalledTwice

PdfOpenDriverUpdater.exe - dnSpy decompilation

Just like we did with PdfOpenDriver.exe, we will run the updater executable through .NET Reactor Slayer and work with the slayed version. There isn't much to this files honestly, just like the name says, it is an updater.

I will only pinpoint the important mechanisms of this updater.

Mutex

This one sets the mutex to FirefoxSurfAutoUpdater.

Word communication

And here we have another server URL https[:]//anyprx.com/hjfd, the communication is masked, so instead of direct instructions like get_payload, download_file, it uses casual English words.

There is nothing really interesting to this updater.

anyPDF.exe - dnSpy decompilation

anyPDF 1

anyPDF 2

This file is the actual working PDF viewer. To be honest, it works quite well. If there wasn't an ad clicker malware shipped with it, I would use it if I needed a PDF editor.

The only significant thing happening with this file would be it micromanages a little the actual malicious part of this software - the PdfOpenDriver.exe

I will use strings (Sysinternals) to extract strings with the command:

strings.exe -u anyPDF_Slayed.exe >> anypdf_strings.txt

and then to filter out the websites using:

type "anypdf_strings.txt" | findstr.exe "https://"

We get the following URL's:

https://qrs.anypdf.com/apel
https://qrs.anypdf.com/apelwr
https://qrs.anypdf.com/apelwr-2
https://localhost:44369/api/Records
https://get.anypdf.com/appupd/lv

The https://get.anypdf.com/appupd/lvis the update URL that downloads the newest version of the actual PDF viewer app. That, however, doesn't mean that the next shipped update wouldn't contain even more malware.

Some methods worth mentioning:

`StopAndChangeDhtIfNewOneExists`

Checks if the new updated version of PdfOpenDriver.exe exists (it would be named PdfOpenDriver_new.exe) , if it does, it kills it and, deletes the old executable, renames the new one to the PdfOpenDriver.exe and restarts

`StartDhtIfNotRunning`

Checks if PdfOpenDriver.exeis running, if not, restarts it silently

`SendStartEvent`

Contacts C2 about executing on a device, monitors if it's first run as well

`StartNamedPipeClient`

Starts a new thread on background that runs in a loop with a pipe called "anyPDF". The PdfOpenDriver.exe is able to communicate with this executable using the anyPDF pipe.

Downloader.exe - dnSpy decompilation

Downloader serves as a command line tool. It accepts plenty of arguments and can do various actions, such as:

downloading files
executing files
installing files
terminating processes
extracting archives
modify registry values
restarting main payload
deleting files
moving files

The main danger here is the fact that all of these can be controlled through a C2.

Downloader

Final verdict

So, we've seen plenty of functions, some malicious, some benign. What would this sample be classified as?

anyPDF is an Adclicker Trojan and a Backdoor - displays hidden ads on your device and simulates ad presses to generate revenue to the attackers. It has the capability to steal PDF related files that you open in your web browser and would be able to send your browsing history to C2 if instructed to do so.

It is a highly evasive sample protected with .NET Reactor deploying many anti-analysis tool checks and antivirus evasion techniques, notably a 14 day time lock before proceeding with malicious activities, WMI-based sandbox detection and pauses between commands to not raise suspicion over high CPU usage.

It is able to update it's main payload and also it's PDF viewer application via command and control servers. Using it's C2 server, it is able to download, execute, delete, move files and modify registry.

As of now, 26/01/2026, anyPDF executables & URL's still have no detections from antimalware vendors and a valid digital signature.

IoC

Files

Filename	SHA256 Hash	VirusTotal
PdfOpenDriver.exe	`ea09fb40963340b212833e796f229ff52e80c66c4354fbe1107cecc07d3c988a`	Link
PdfOpenDriverUpdater.exe	`ad8322170e39cb1ace157e0bb0bbffd71cf7e11f602c29f273109acc7329b579`	Link
anyPDF.exe	`3e4c6a39e2302ee42a1d51ce6093d8325839581ff8b4ad77ce12d2e9326fc839`	Link
Downloader.exe	`614104efb1c80099594f09c788b9ea5e03b65fa0405d60863baaa4b9dae20935`	Link

URL

URL	Description
https[:]//anypdf[.]com/	Main infection source, download URL, legitimate looking website
https[:]//peedeef[.]com/openup/uptime/default	Updater URL for main payload (PdfOpenDriver.exe)
https[:]//get[.]anypdf[.]com/appupd/lv	Updater URL for actual PDF editor (anyPDF.exe)
https[:]//anyprx[.]com/hjfd	Backup updater URL
https[:]//qrs[.]anypdf[.]com/apel	C2
https[:]//qrs[.]anypdf[.]com/apelwr	C2
https[:]//qrs[.]anypdf[.]com/apelwr-2	C2
https[:]//peedeef[.]com/openup/uptime/new/pdfOpenDriver_2.0.0.0.zip	Direct download for updated main payload (PdfOpenDriver.exe)
https[:]//get[.]anypdf[.]com/appupd/new/anypdf_1_5_0_0.zip	Direct download for updated actual PDF editor (anyPDF.exe)
https[:]//proxsrv[.]com/	Abused ad server from ProppelerAds

File paths

File path	Description
%LocalAppData%\PdfOpenDriver\	Main payload file structure path
%LocalAppData%\anyPDF\	Main PDF editor file structure path

Digital signatures

Name	Description
Lupus Tech Limited	Suspicious signature used for anyPDF software

Thank you for reading this analysis.