{
	"id": "4722504b-b2e3-4fe8-93f8-ff470753c111",
	"created_at": "2026-04-06T00:12:43.700295Z",
	"updated_at": "2026-04-10T13:12:59.983378Z",
	"deleted_at": null,
	"sha1_hash": "20ed3316457ac850b69ea2092323b44eda8d92b5",
	"title": "PDFast But Luckily Not So Furious",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1161316,
	"plain_text": "PDFast But Luckily Not So Furious\r\nBy Ryan Hicks, Otavio Passoss\r\nPublished: 2025-05-12 · Archived: 2026-04-05 21:10:37 UTC\r\nKey Takeaways\r\nKroll has observed a wave of malicious activity surrounding “PDFast” software.\r\nThe updater file ran via scheduled task which downloaded and executed a binary from actor-controlled\r\ncommand and control (C2) domains through several PowerShell commands.\r\nKroll detections and security technologies contained and eradicated the threat before further malicious\r\nactions were taken.\r\nThis downloaded binary, named PDF.exe, was analyzed by Kroll and creates and executes a randomly\r\nnamed PyArmor packed executable.\r\nIt is highly recommended to remove installations of PDFast and block the domains listed in the Indicator of\r\nCompromise table below.\r\nBeginning in early April 2025, Kroll has observed a large wave of malicious activity surrounding \"PDFast\"\r\nsoftware. Initial access for the campaign appeared to begin either through a new install of the application, through\r\ndrive-by compromise on the site pdf-fast[.]com, or via pre-installed versions of the application that have since\r\nbeen updated with a malicious version.\r\nhttps://www.kroll.com/en/publications/cyber/pdfast-but-luckily-not-so-furious\r\nPage 1 of 5\n\nFigure 1: Contents of pdf-fast[.]com website on April 23, 2025\r\nIn each case, the malicious file (\"upd.exe\") was executed via a scheduled task that is set up during the initial\r\ninstallation, which executes several PowerShell commands.\r\nThe first PowerShell command attempts to download a \"pdf.bin\" file from a C2 domain, that Kroll observed to be\r\neither \"varendot[.]com\" or \"everviaf[.]com\". This downloaded file is saved locally as \"file.bin\".\r\nhttps://www.kroll.com/en/publications/cyber/pdfast-but-luckily-not-so-furious\r\nPage 2 of 5\n\nFigure 2: Binary file downloaded from C2\r\nAnother PowerShell is also executed that creates a directory-named pdf inside the temporary files directory; and if\r\nthe folder already exists, it will read the recently downloaded \"file.bin\" that contains a Base64 string, decode that\r\nstring back into binary, and write it as an executable file named pdf.exe.\r\nFigure 3: First PowerShell command\r\nPDF.exe Technical Analysis\r\nThe executable will start by checking if the arguments provided contain the option --safetorun where, if not, the\r\nexecutable will simply exit. If it does contain the --safetorun option, the executable will start to operate on its PE\r\nResources.\r\nWhen pdf.exe is executed, one of the subroutines is to retrieve the size of its PE resource by executing the\r\nSizeofResource API, which is then used as the seed to the rand function within the executable.\r\nIt is important to note the importance of rand here. This function is responsible for creating the filename which\r\nwill receive the contents of the next stage.\r\nFirst, the %TEMP% directory is retrieved by the executable, and the string \"%s\\\\system%da%db%dc\" is built\r\nwith the fprintf function. It is noted that there are four format specifiers in the built string. The first, %s, receives\r\n%TEMP%, and the other 3 %d's will each receive the output of a different rand call. The resulting string is similar\r\nto: system26506a16168b4007c.exe.\r\nAfter the process described above, there is a call to Sleep with the parameter of 0x7530 (30000), making the\r\nmalware \"hang\" for 30 seconds. In this meantime, the file system26506a16168b4007c.exe is written in the\r\n%TEMP% folder, being deleted right after the 30 seconds passes.\r\nFigure 4: Command to run \"system\" executable\r\nhttps://www.kroll.com/en/publications/cyber/pdfast-but-luckily-not-so-furious\r\nPage 3 of 5\n\nThis file, system26506a16168b4007c.exe, is a PyArmor packed executable which, when unpacked, will come in\r\nthe format of .pyc files, that is, compiled python scripts in a bytecode format.\r\nThis new file, when ran by the PyArmor runtime, loads several DLLs and appears to execute Python content. It\r\nalso runs WMIC commands to detect whether a hypervisor is present, which is likely anti-VM behavior to prevent\r\nsandbox analysis. Finally, Kroll observed the file deleted the Python files as a cleanup operation.\r\nFigure 5: Commands for gathering defense technology and VM awareness\r\nAnalysis\r\nSurveying the sectors impacted by this campaign so far shows the largest affected as healthcare. At the time of\r\nwriting, there is, however, no evidence suggesting any targeting toward the sector directly and likely coincidental.\r\nThis is based on the drive-by nature of the compromise and the generic lure, being PDF conversion, that is not\r\nspecifically focused on healthcare. It is likely that when more data is collected, the spread of impacted sectors will\r\ngrow across more sectors.\r\nhttps://www.kroll.com/en/publications/cyber/pdfast-but-luckily-not-so-furious\r\nPage 4 of 5\n\nFigure 6: PDFast campaign sectors impacted\r\nSource: https://www.kroll.com/en/publications/cyber/pdfast-but-luckily-not-so-furious\r\nhttps://www.kroll.com/en/publications/cyber/pdfast-but-luckily-not-so-furious\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kroll.com/en/publications/cyber/pdfast-but-luckily-not-so-furious"
	],
	"report_names": [
		"pdfast-but-luckily-not-so-furious"
	],
	"threat_actors": [],
	"ts_created_at": 1775434363,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20ed3316457ac850b69ea2092323b44eda8d92b5.pdf",
		"text": "https://archive.orkl.eu/20ed3316457ac850b69ea2092323b44eda8d92b5.txt",
		"img": "https://archive.orkl.eu/20ed3316457ac850b69ea2092323b44eda8d92b5.jpg"
	}
}