- April 18, 2025
PDFast Compromise
Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious update activity across client environments.
Executive Summary
Beazley Security MXDR Teams recently observed a “free Word-to-PDF converter” exhibit suspicious activity across multiple environments. While we are not the arbiters of quality, PDFast does not scream legitimacy. The software, once installed, attempted to execute an automated, unusual update routine in environments to download and drop obfuscated files and instantiate PowerShell commands to check environment configurations. For a PDF converter tool, it also appears to be very concerned whether it’s executing within a VM.
Beazley Security teams have implemented preventative measures against this threat, and Beazley Security MXDR client environments are protected.
PDFast PDF Conversion Tool
PDFast is a tool advertised as a PDF conversion tool. The website claims that PDFast can convert several file formats such as Microsoft Word and Excel into PDF formats. The tool also states it can convert PDF files into other editable formats such as Word and PowerPoint. PDFast can be freely downloaded from the website https[:]//pdf-fast[.]com/, as illustrated below.
Figure 1: PDFast website
Figure 2: PDFast features as advertised on website
The PDFast installer is packaged as an executable that unpacks a standard MSI file. From the sample Beazley Security Labs (BSL) downloaded, the PDFast installer appears to have been built very recently, around April 8th, 2025, and is signed by “AL STARE LLC,” with an email address of fm760984@gmail[.]com. The domain hosting the PDFast installer appears to have been created last year, in May of 2024. It cannot be discounted that the domain has been purchased with forethought to lure users to download this software.
Figure 3: PDFast Installer Information and domain registration
Suspect Update Routine
On investigation, Beazley Security MXDR discovered suspicious update activity from the software, specifically the updater process invoking a download of base64-encoded binary. Once downloaded, this binary is decoded, written to disk as pdf.exe and executed.
Figure 4: PDFast Suspicious Updater Execution
In testing, the pdf.exe binary would not execute and unpack its files unless it was given specific parameters, including a –safetorun switch followed by –ch and -x.
Similarly, the unpacked PE file system26506a16168b4007c is then invoked with the similar -ch token:
Observed Execution Commands |
|---|
C:\Users\<redacted>\AppData\Roaming\PDFast\upd.exe -> powershell -encodedCommand "WwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAiACQAZQBuAHYAOgBUAEUATQBQAC8AcABkAGYALwBwAGQAZgAuAGUAeABlACIALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBSAGEAdwAgACIAJABlAG4AdgA6AFQARQBNAFAALwBwAGQAZgAvAGYAaQBsAGUALgBiAGkAbgAiACkAKQApAA== --base64 decoded-- [IO.File]::WriteAllBytes("$env:TEMP/pdf/pdf.exe",[Convert]::FromBase64String((Get-Content -Raw "$env:TEMP/pdf/file.bin"))) |
C:\Users\<redacted>\AppData\Roaming\PDFast\updater.exe /silentall -nofreqcheck -url "file://C:\Users\<redacted>\AppData\Local\Temp\updaterInfo.txt" -nogui |
cd $env:TEMP/pdf .\pdf.exe --safetorun --ch=e0eb4eb47fec9ccfd25dc6ed40523dce4f9da2bb -x |
powershell.exe "Start-Process -FilePath \"C:\Users\<redacted>\AppData\Local\Temp\system26506a16168b4007c\" -NoNewWindow -ArgumentList '-- safetorun','--ch=e0eb4eb47fec9ccfd25dc6ed40523dce4f9da2bb','-x' | Wait-Process" |
Once executed, the binary unpacks multiple files and subsequently executes recon checks on the affected system, including discovery of antivirus, firewall, and virtualization software:
Observed Recon Commands |
|---|
powershell.exe "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct" |
powershell.exe "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName FirewallProduct" |
C:\Windows\system32\cmd.exe /c "WMIC COMPUTERSYSTEM GET HypervisorPresent" |
It appears that the initial execution of the updater and unpackaged data is not triggered immediately on our test systems. However, we have yet to confirm the mechanism of this behavior.
BSL is continuing to reverse engineer the suspicious payload and understand intent.
Indicators of Compromise (IoCs)
The following suspicious files and URLs were observed by Beazley Security MXDR teams:
Indicator | Description |
|---|---|
24ea4798ad48c42092e5d690f784880b25608810 | system26506a16168b4007c (pe32) |
bfb888526a5097a76f3abe1c31f83177f6182a44 | Pdf.exe |
8950965f40f30eb40d11de71754a4fe93b098f3d | PDFast.exe |
31E6B1BAE3793962034AB783512EABD5072BE3AE | Core.dll |
b.pdf-fast[.]com | Domain |
pdf-fast[.]com | Domain |
searchsnfinds[.]com | Domain |
fm760984@gmail[.]com | signer email |
Conclusion
While tricking users to download free commodity software is not a novel technique, cybercriminals will continue to use methods that work. By appealing to end users as a free tool to conveniently convert everyday documents, the method is a simple but effective way to get a foothold into both home and enterprise networks.