- April 18, 2025
PDFast Compromise - PDFMaker Reskin Update
Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.
Executive Summary
Beazley Security MXDR Teams recently observed a “free Word-to-PDF converter” exhibit suspicious activity across multiple environments. While we are not the arbiters of quality, PDFast does not scream legitimacy. The software, once installed, attempted to execute an automated, unusual update routine in environments to download and drop obfuscated files and instantiate PowerShell commands to check environment configurations. For a PDF converter tool, it also appears to be very concerned whether it’s executing within a VM.
Beazley Security teams have implemented preventative measures against this threat, and Beazley Security MXDR client environments are protected.
Update - PDFMaker Reskin
About a month ago BSL reported on “PDFast” software that created a flurry of activity when the software unexpectedly kicked off suspicious update routines across several victim environments. While continuing to research this threat, BSL discovered a reskin of the PDFast malware called “PDFMaker”.
Figure 1 – PDFMaker Download Lure
The sister software is currently made available at webfreepdf[.]com and keeps things in the PDFamily with a similar layout, purporting to process data with its PDF conversion capability.
Figure 2 – PDFast to PDFMaker reskin
BSL looked under the hood and without surprise discovered the same structure and ‘features’ were present. Another updater, tasked to beacon home every hour could be found provisioned on installation of the PDFMaker software. Instead of the previous ‘upd.exe’ PE responsible for triggering updates within PDFast, the authors rebranded a PE named ‘PDRefresh.exe”.
Figure 3 – PDFRefresh Scheduled Task
Observed behavior is consistent with PDFast. When the PDRefresh PE is run, the file ‘beacons’ to an endpoint (*.pdf-maker-data[.]com/*) and receives encrypted communications back. Labs believes this is a C2 mechanism similarly constructed within PDFast infrastructure, which was eventually leveraged to trigger a prior malicious update campaign.
The sampled installer for PDFMaker appears to have been packaged Wednesday, May 14th and is signed by “KRZADROPSHIP PRIVATE LIMITED” (mrauthan1992@gmail[.]com) while domain registration information would reveal that the sister product was concieved in late 2024.
Figure 4 – PDFMaker Domain Registration and Signature
On the surface some may classify this as potentially unwanted software. BSL believes history may repeat itself, as the software could again be leveraged as a lure to drop malware in the future.
Indicators have been updated to reflect this variant in the IoCs section of this report and BSL will continue to monitor the situation.
PDFast PDF Conversion Tool
PDFast is a tool advertised as a PDF conversion tool. The website claims that PDFast can convert several file formats such as Microsoft Word and Excel into PDF formats. The tool also states it can convert PDF files into other editable formats such as Word and PowerPoint. PDFast can be freely downloaded from the website https[:]//pdf-fast[.]com/, as illustrated below.
Figure 1: PDFast website
Figure 2: PDFast features as advertised on website
The PDFast installer is packaged as an executable that unpacks a standard MSI file. From the sample Beazley Security Labs (BSL) downloaded, the PDFast installer appears to have been built very recently, around April 8th, 2025, and is signed by “AL STARE LLC,” with an email address of fm760984@gmail[.]com. The domain hosting the PDFast installer appears to have been created last year, in May of 2024. It cannot be discounted that the domain has been purchased with forethought to lure users to download this software.
Figure 3: PDFast Installer Information and domain registration
Suspect Update Routine
On investigation, Beazley Security MXDR discovered suspicious update activity from the software, specifically the updater process invoking a download of base64-encoded binary. Once downloaded, this binary is decoded, written to disk as pdf.exe and executed.
Figure 4: PDFast Suspicious Updater Execution
In testing, the pdf.exe binary would not execute and unpack its files unless it was given specific parameters, including a –safetorun switch followed by –ch and -x.
Similarly, the unpacked PE file system26506a16168b4007c is then invoked with the similar -ch token:
Observed Execution Commands |
|---|
C:\Users\<redacted>\AppData\Roaming\PDFast\upd.exe -> powershell -encodedCommand "WwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAiACQAZQBuAHYAOgBUAEUATQBQAC8AcABkAGYALwBwAGQAZgAuAGUAeABlACIALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBSAGEAdwAgACIAJABlAG4AdgA6AFQARQBNAFAALwBwAGQAZgAvAGYAaQBsAGUALgBiAGkAbgAiACkAKQApAA== --base64 decoded-- [IO.File]::WriteAllBytes("$env:TEMP/pdf/pdf.exe",[Convert]::FromBase64String((Get-Content -Raw "$env:TEMP/pdf/file.bin"))) |
C:\Users\<redacted>\AppData\Roaming\PDFast\updater.exe /silentall -nofreqcheck -url "file://C:\Users\<redacted>\AppData\Local\Temp\updaterInfo.txt" -nogui |
cd $env:TEMP/pdf .\pdf.exe --safetorun --ch=e0eb4eb47fec9ccfd25dc6ed40523dce4f9da2bb -x |
powershell.exe "Start-Process -FilePath \"C:\Users\<redacted>\AppData\Local\Temp\system26506a16168b4007c\" -NoNewWindow -ArgumentList '-- safetorun','--ch=e0eb4eb47fec9ccfd25dc6ed40523dce4f9da2bb','-x' | Wait-Process" |
Once executed, the binary unpacks multiple files and subsequently executes recon checks on the affected system, including discovery of antivirus, firewall, and virtualization software:
Observed Recon Commands |
|---|
powershell.exe "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct" |
powershell.exe "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName FirewallProduct" |
C:\Windows\system32\cmd.exe /c "WMIC COMPUTERSYSTEM GET HypervisorPresent" |
It appears that the initial execution of the updater and unpackaged data is not triggered immediately on our test systems. However, we have yet to confirm the mechanism of this behavior.
BSL is continuing to reverse engineer the suspicious payload and understand intent.
Indicators of Compromise (IoCs)
The following suspicious files and URLs were observed by Beazley Security MXDR teams:
Indicator | Description |
|---|---|
24ea4798ad48c42092e5d690f784880b25608810 | system26506a16168b4007c (pe32) |
bfb888526a5097a76f3abe1c31f83177f6182a44 | Pdf.exe |
8950965f40f30eb40d11de71754a4fe93b098f3d | PDFast.exe |
31E6B1BAE3793962034AB783512EABD5072BE3AE | Core.dll |
12B4B233D3A7E475BC36BC19EA93EAF9C22635E9 | PDFMaker.exe |
E3626F240F6795D4E851E57F6E165927C20A881B | PDFRefresh.exe |
54224876EF6F7BCBDBDE12ADC2E0247A264CA6DA | 12ed364.msi |
Webfreepdf[.]com | Domain |
*.pdf-maker-data[.]com | Updater Domain |
b.pdf-fast[.]com | Updater Domain |
pdf-fast[.]com | Domain |
searchsnfinds[.]com | Domain |
fm760984@gmail[.]com | signer email |
mrauthan1992@gmail[.]com | signer email |
Conclusion
While tricking users to download free commodity software is not a novel technique, cybercriminals will continue to use methods that work. By appealing to end users as a free tool to conveniently convert everyday documents, the method is a simple but effective way to get a foothold into both home and enterprise networks.