Malicious
Installer spoofing VLC Media Player, signed by unknown publisher, flagged as OfferCore adware by tier-1 engines.
b5cea4d097ed872fa4…aa447c1263The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file exhibits a classic brand-spoofing pattern: the filename claims 'vlc-media-player-3.0.23-installer.exe', but the Authenticode signature is from 'SOFTONIC INTERNATIONAL SA', not VideoLAN (the legitimate VLC publisher). Three tier-1 engines (Microsoft, ESET-NOD32, DrWeb) converged on OfferCore, a known adware/PUA family, indicating genuine consensus rather than heuristic false positives. The signer has zero historical samples in our database, suggesting a newly registered or compromised certificate. The file is rare and brand-new (1 submission, 0 days old), consistent with a fresh adversarial campaign. Absence of sandbox behaviour data does not mitigate the tier-1 consensus on a known PUA family combined with clear brand spoofing.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
3 tier-1 engines (DrWeb, ESET-NOD32, Microsoft) flagged OfferCore/PUA variants — genuine consensus on a known adware family
signing.verified=true but signer='SOFTONIC INTERNATIONAL SA' with signerStats.found=false (zero historical samples) — unknown, unvetted publisher
Filename claims 'vlc-media-player' but signed by Softonic, not VideoLAN — classic brand spoofing pattern
prevalence.classification='rare_new' (1 submission, 0 days old) — brand-new file with adversarial signer + filename mismatch
similarHashes imphash match to prior 'safe' verdict is weak; that file (OmenCoreSetup) is unrelated product with different signer/labels
- File is signed (Authenticode verified=true) — not unsigned malware
- No malicious sandbox verdicts available (behaviour=null)
- No malicious dropped children or contacted hosts detected
- No external intelligence hits (CIRCL, MalwareBazaar, YARAify all negative)
- Tier-1 consensus on OfferCore PUA family (Microsoft, ESET-NOD32, DrWeb)
- Signer mismatch: claims VLC but signed by Softonic International SA
- Unknown signer with zero historical samples (signerStats.found=false)
- Brand-new file (0 days old, 1 submission) — fresh distribution campaign
- Rare prevalence (rare_new classification)
- Filename spoofing legitimate software (VLC Media Player)
Block and quarantine this file. Do not execute it. Download VLC Media Player only from the official VideoLAN website or trusted distribution channels. If already executed, perform a full system scan and monitor for unwanted software installations.
offercore corroborated by 2 sources
- VT (75 engines)offercore
- MT AI EngineOfferCore
12 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- vlc-media-player-3.0.23-installer.exe
- Size
- 2.03 MB
- MIME type
- application/x-msdownload
- Detected type
- Win32 EXE
- SHA-256
- b5cea4d097ed872fa4340efd32cea499ce311ce76997f374d7aa54aa447c1263
- MD5
- 556748955f650c6edb9b888eceb95f35
- SHA-1
- 2704195002682fb094053c7ecaef0b85217b9817
- PE imphash
- 88016fcdef7f227c62171d0afad9aae4
- First seen (VT)
- 6/8/2026, 2:55:11 PM
- Last analysis (VT)
- 6/8/2026, 2:55:11 PM
- First scan (MalwareTips)
- 6/8/2026, 2:56:07 PM
- Last scan (MalwareTips)
- 6/8/2026, 3:02:30 PM
- Code signer
- SOFTONIC INTERNATIONAL SAverified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.