Executive Summary

Online PDF converters have become essential tools in daily digital workflows. On March 17, 2025, the FBI's Denver field office issued an alert regarding malicious online file converters being used to distribute malware. This prompted CloudSEK's Security Research team to conduct an in-depth investigation into these threats to understand their mechanisms and develop protective measures.

‍

This report examines a sophisticated attack involving a malicious PDF-to-DOCX converter that impersonates the legitimate service pdfcandy.com. The threat actors meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users. The attack vector involves tricking victims into executing a PowerShell command that installs Arechclient2 malware, a variant of the dangerous SectopRAT information stealer family known for harvesting sensitive data from compromised systems.

‍

Our analysis details the technical aspects of this attack, the indicators of compromise, and provides actionable recommendations to help organizations and individuals protect themselves against such sophisticated social engineering tactics.

‍

‍

‍

Analysis

‍

‍

‍

Figures 2 and 3 showcase the landing and home pages of two identified malicious file conversion websites, both expertly impersonating the legitimate pdfcandy.com service. These fraudulent sites meticulously replicate pdfcandy.com's visual identity, including its logo and brand elements, creating a convincing facade. Upon arrival, users are immediately prompted to upload a PDF file for conversion to Word (.docx) format, exploiting a common file conversion need to initiate the attack vector.

Modus Operandi 

Upon initiating the PDF conversion process, the malicious website employs a series of sophisticated social engineering tactics to manipulate user behavior:

1. Simulated Processing: The site displays an animated loading sequence, creating the illusion of genuine file processing. This step is designed to build trust and lower the user's guard.
2. Immediate Captcha Prompt: Following the fake processing animation, the site abruptly presents a captcha verification dialog, as illustrated in Figure 4. This unexpected interruption serves multiple purposes:
   
   • It mimics legitimate security practices, further enhancing the site's perceived authenticity.
   • It creates a sense of urgency, potentially rushing the user into action without careful consideration.
   • The CAPTCHA acts as a pivotal interaction point where the malicious payload can be triggered.
3. Psychological Manipulation: By presenting familiar elements in an unexpected sequence, the attackers exploit the user's learned behaviors and expectations when interacting with web services.

This carefully crafted user flow demonstrates the attackers' understanding of human psychology and web design conventions, highlighting the sophisticated nature of this social engineering attack.

‍

‍

Following the deceptive CAPTCHA interaction, the website prompts users to execute a PowerShell command (shown below) with detailed instructions as illustrated in Figure 5—a critical point where social engineering transitions to system compromise.

‍

Technical Analysis 

Upon decoding the command, we discovered a sophisticated redirection chain designed to obscure the malware delivery process. The initial connection targets "bind-new-connect[.]click/santa/bee" disguised as a seemingly innocuous "https[://]bitly[.]cx[/]SMma" shortened URL. This redirect, shown in Figure 6, subsequently forwards to "https[://]bitly[.]cx[/]Www0" which then chains to "bind-new-connect[.]click/marmaris/later" - the actual endpoint serving the malicious "adobe.zip" payload. As per ThreatFox, the domain "bind-new-connect[.]click” is a known distributor of the ArechClient malware belonging to the SectopRAT family of information stealers. This sophisticated .NET-based Remote Access Trojan has been active since 2019 and possesses extensive capabilities for stealing sensitive data, including browser credentials and cryptocurrency wallet information.

‍

The malicious "adobe.zip" file was hosted on IP address 172[.]86[.]115[.]43, which has been flagged as malicious by multiple security vendors according to VirusTotal analysis. SectopRAT typically employs various distribution methods, including malvertising through Google Ads and fake application updates, to maximize infection rates.

The contents of the “adobe.zip” can be seen in Figure 7 above. This archive expands to a folder named “SoundBAND” and contains a malicious executable file “audiobit[.]exe”. The full malware analysis of this entire archive can be found in this ANY.RUN sandbox report. 

‍

The execution of "audiobit[.]exe" triggers a sophisticated multi-stage attack chain where "cmd[.]exe" is spawned, which subsequently launches "MSBuild[.]exe"—a legitimate Windows utility now weaponized to load and execute the ArechClient2 information stealer, as illustrated in Figure 9 below.

‍

‍

Indicators of Compromise (IOC)

‍

Recommendations for Protection

To protect against malicious file converters like the one analyzed in this report, organizations and individuals should:

1. Use only trusted, reputable file conversion tools from official websites rather than searching for "free online file converters".
2. Implement robust technical controls, including:
   
   • Keep antivirus/anti-malware software updated and scan all downloaded files before opening
   • Deploy endpoint detection and response (EDR) solutions to detect suspicious behaviors
   • Utilize DNS-level traffic filtering to block known malicious domains
   • Consider browser extensions that block malicious sites
3. Verify file types beyond just extensions, as malicious files often masquerade as legitimate document types.
4. Implement content disarm and reconstruction (CDR) technology to remove potentially embedded threats from documents.
5. Establish file upload restrictions in corporate environments, including limiting allowed file types and maximum file sizes.
6. Educate users to recognize warning signs of malicious converters, such as:
   
   • Requests to run PowerShell or command-line instructions
   • Suspicious URLs that mimic legitimate services with slight variations
   • Unexpected captcha verifications or additional downloads
7. Develop and regularly test incident response plans to quickly address infections when they occur.
8. Consider using offline conversion tools that don't require uploading files to remote servers.
9. If a system is potentially compromised:
   
   • Immediately isolate the affected device
   • Change all passwords using a clean device
   • Contact financial institutions to protect accounts
   • Report the incident to the appropriate authorities

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam
• https://threatfox.abuse.ch/ioc/1451546/
• https://any.run/report/1da2b2004f63b11ab0d3f67cd1431742a1656460492bd4b42fd53d413e6e1570/5430cffd-2170-4d36-b589-1200c24ffb9c
• https://www.virustotal.com/gui/ip-address/172.86.115.43/detection
• https://www.virustotal.com/gui/file/1da2b2004f63b11ab0d3f67cd1431742a1656460492bd4b42fd53d413e6e1570/detection