Win32:Trojan X-Gen alert when using Aspose.PDF.Facades


We have started getting reports from customers running Avast anti virus (and also AVG antivirus):
Avast_AntiVirus_1.png (34.4 KB)
Avast_AntiVirus_2.png (32.1 KB)

The report is about some temporary DLL file probably created by your code.
Here is the exception details I get in my program:
Exception_details.jpg (255.5 KB)
(Forgive the Hebrew text… this is my client’s computer language).
I can not make anything out of this exception since all your code is obfuscated.

What might be the cause of this? Does it make any sense Aspose.PDF creates some kind of temporary DLL file?


Can you please share a bit more details like when you are observing this issue? Which code snippet are you using? Please share some sample file as well along with the code snippet so that we can further test and investigate the issue.

The exception is thrown on the first line of code, when creating the formatted text.

        // Prepare the page num text stamp
        Aspose.Pdf.Facades.FormattedText pageNumText = new Aspose.Pdf.Facades.FormattedText(
            "- # -",
            Color.FromArgb(230, 230, 230),

        Aspose.Pdf.PageNumberStamp pageNumStamp = new Aspose.Pdf.PageNumberStamp(pageNumText)
            Background = false,
            Draw = false,
            HorizontalAlignment = Aspose.Pdf.HorizontalAlignment.Center,
            VerticalAlignment = Aspose.Pdf.VerticalAlignment.Bottom,
            BottomMargin = 10

I can not reproduce this on my development machine, but I have several customers now that have this problem.
As mentioned before, it has something to do with a DLL file created in the temp directory and the Anti Virus file blocking it.

OR It might not be related at all, but since your call stack is obfuscated, I can not tell you any more details.

Does it make any sense to you that calling the code I’ve posted above creates some kind of a DLL file inside the temporary directory?


No, it does not seem like this code can cause any issues. Furthermore, we were also unable to notice this issue. Can you please share the Stack Trace and Exception message in text format so that we can translate it. We will log an investigation ticket to analyze this particular case and share the ID with you.

I have succeeded in reproducing this behaviour in a virtual machine.
It seems the blocked DLL file is related to Adobe Acrobat Font system. And is blocked for some reason when using AVAST antivirus. Other antivirus software does not see this file as a threat.
Here is the file: (5.4 KB)

The exception call stack is:

System.IO.FileNotFoundException: Could not load file or assembly 'zx_6ca87a8ac96e4ffdcc25a42fa6ca134b, PublicKeyToken=716fcc553a201e56' or one of its dependencies. The system cannot find the file specified.
File name: 'zx_6ca87a8ac96e4ffdcc25a42fa6ca134b, PublicKeyToken=716fcc553a201e56'
   at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, RuntimeAssembly reqAssembly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean forIntrospection)
   at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
   at System.Reflection.Assembly.Load(String assemblyString)
   at #=qYtOao58PprCZLK3CqV_HPkzB77LLDY$RBz5GfPsmAl0=.#=zKVHggZ1_5wkVQGf6m2tgBx$o_wcv.#=zUNE$Ro47Q7CXlKLmW7Cyx6Xrchde(String #=zCH93qV0IbFsyO73aue$Hv98=)
   at #=qYtOao58PprCZLK3CqV_HPkzB77LLDY$RBz5GfPsmAl0=.#=zKVHggZ1_5wkVQGf6m2tgBx$o_wcv.#=zXO7mcXddLJEhAVcnRwZdHHhM7bf_()
   at #=qYtOao58PprCZLK3CqV_HPkzB77LLDY$RBz5GfPsmAl0=.#=z703v_w8WpnRP_WU5siYeTzrrhVML(String #=zDpg7s1Y=)
   at #=qYtOao58PprCZLK3CqV_HPkzB77LLDY$RBz5GfPsmAl0=.#=zdAJFXH3_ZOV1syhCPMjJoEPkL$gt(Object #=zHCPYdokyZUZAtRl6VB_kJv4IgGRI, ResolveEventArgs #=zlG_N4VKOdi0mw7pt2GiAQiEsieWM)
   at System.AppDomain.OnResourceResolveEvent(RuntimeAssembly assembly, String resourceName)
   at System.Reflection.RuntimeAssembly.GetResource(RuntimeAssembly assembly, String resourceName, UInt64& length, StackCrawlMarkHandle stackMark, Boolean skipSecurityCheck)
   at System.Reflection.RuntimeAssembly.GetManifestResourceStream(String name, StackCrawlMark& stackMark, Boolean skipSecurityCheck)
   at System.Reflection.RuntimeAssembly.GetManifestResourceStream(String name)
   at #=zskhzHJbE178UXJdB_7BdIXVOH1TF.#=zM5b4svxSehU3(String #=zP_SR9xs=, String #=zEWee1c0=, Assembly #=z4NVTHgs=)
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zR0g4ARSaE61W(String #=zDE4fUF8=)
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zpnQ_y9xzRmt$()
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zWjSRquod8wKu()
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zH6LpWMT3K3qP()
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zkl22QJg=()
   at Aspose.Pdf.Text.FontRepository.FindFont(String fontName)
   at Aspose.Pdf.TextStamp.#=zhIKFc2EIcL0H()
   at Aspose.Pdf.Facades.FormattedText.#=z$hXHGiaBqL8Q()
   at Aspose.Pdf.Facades.FormattedText..ctor(String text, Color textColor, Color backColor, FontStyle textFont, EncodingType encoding, Boolean embedded, Single textSize)
   at Odcanit.Platinum.Core.Documents.Builder.PdfDocument.BuildTocAndStampAllPages(TempFileStream sourcePdf) in C:\Users\Nir\Documents\Projects\Odcanit.Platinum.Core\Odcanit.Platinum.Core.Documents\Builder\PDFDocument.cs:line 539
   at Odcanit.Platinum.Core.Documents.Builder.PdfDocument.SavePdf(String outputFilename) in C:\Users\Nir\Documents\Projects\Odcanit.Platinum.Core\Odcanit.Platinum.Core.Documents\Builder\PDFDocument.cs:line 234

After further investigating the DLL file (attached in my previous post) I saw there is a resource in that DLL:


It seems this DLL is related to Aspose.

Sending the DLL file to results in:
image.png (118.0 KB)


Thanks for sharing these details.

We have opened an investigation under the ticket ID PDFNET-51256 in our issue tracking system. We will definitely analyze it and let you know as soon as it is resolved. Please be patient and spare us some time.

We are sorry for the inconvenience.

We have more and more customers that reports this issue.
My guess it has something to do with Avast/AVG antivirus updating their virus signature files, and now the DLL that Aspose.PDF creates (for some strange reason) is detected as a trojan!

You must solve this issue in high priority!


Your concerns have been recorded and we will surely inform you as soon as we analyze and fix this issue. Please spare us some time.

We apologize for your inconvenience.


We are investigating the issue. The API should not create any DLLs in a temporary directory, we don’t have any code which could do this. We could suspect that DLLs in our MSI are infected but we are trying to reproduce the issue with your code with the latest published release and still, no new DLL in the temp directory was created.

Could you please share the configuration and environment details of the VM in which you have reproduced the issue? Also, please confirm if you tested using the latest version of the API.

Try to install AVG or Avast anti virus. It has a free version and can be installed without any payment.

After that try to run the code and see what happens. I could reproduce the issue like this.


We did try to test after installing Avast/AVG antiviruses but could not replicate the behavior. We will continue to do so and let you know in case we need more information.

What could you tell from the call stack?


we have exactly the same problem reported by customers. Since this is a false positive detection, we have reported the problem to Avast. Avast has promised a solution until the next update in about 24 hours.


The question is why is this DLL created in the temp folder in the first place?
Aspose claim they do not create any DLL…


As far as the Stack Trace is concerned, we reviewed it and the encrypted part of it is from the obfuscator. We can only say that the code is related to the font loading but the strange thing is that we do not produce/create any DLLs. We are still trying to reproduce the issue and will inform you once we have some feedback to share.