PDF files with embedded docm files now deliver Jaff Ransomware

  • 38

Adding to the havoc created by the recent outbreak of the WannaCry Ransomware is a new entry to the list of encrypting ransomware called ‘Jaff’. Reportedly, this variant has been created by the authors of the Locky ransomware. The source of this ransomware is the Necurs botnet which is using PDF files with embedded docm to distribute this malware.

Read more about WannaCry Ransomware

Although its occurrence was overshadowed by the WannaCry – known to be the world’s biggest ransomware attack, the Jaff ransomware has successfully kept its persistence in the wild. In this attack, spam emails are sent to victims that contain nm.pdf [file name then changed to randomNo.pdf in later mails] as attachments with embedded docm files.

In earlier incidents, such unprecedented spam campaigns were observed delivering the Dridex Banking malware and then Locky ransomware.

How the Jaff ransomware attack happens

1) The targeted victim will receive an email attachment. This may have keywords such as ‘document’, ‘copy’, ‘scan’, etc., in the subject line as shown below.

Fig 1

2) In the above screenshot, the attached nm.pdf contains embedded objects with names such as “U3JPCNQ.docm”, TZLEHYM.docm, etc.

jaff_ransomware_1aFig 2

3) Once the victim opens the PDF file, the system’s Adobe reader will throw a warning message stating that the file contains an attachment which may contain viruses or macro.

Fig 3

4) If the user selects ‘Open this file’, the docm file with ‘enable content’ option will get open.

Fig 4

5) Once the macro is enabled, it tries to communicate with hosts stored in an array as shown below (fig 4). It will try to communicate with the hosts one by one. And if it gets any response from any host, it will download malicious content and infect the system with the Jaff ransomware. Otherwise, it will try to connect to the other hosts until it gets any response.

jaff_ransomware_4b jaff_ransomware_4a
Fig 5

Command and control server communication


Fig 6

6) The downloaded malicious executable starts encrypting the files stored on the victim’s computer with AES encryption, and appends ‘.JAFF’ extension to these files before displaying a ransomware note as shown below. Reportedly, Jaff demands a ransom of $3,300 which is 10 times as much as the ransom demanded by WannaCry ransomware – $300.

Fig 7


Fig 8

Fig 9

Currently, files encrypted by the Jaff ransomware cannot be decrypted.

Malicious URLs observed

  • hxxp://easysupport.us/f87346b
  • hxxp://wipersdirect.com/f87346b
  • hxxp://phinamco.com/f87346b
  • hxxp://trialinsider.com/f87346b
  • hxxp://babil117.com/f87346b

How Quick Heal helps

1) Quick Heal’s Email Security feature detects and deletes malicious email attachments such as the ones observed in the case of Jaff ransomware even before they are opened and affect the system.

Fig 10

2) Quick Heal successfully detects PDF and embedded docm files.

3) The Ransomware Protection feature of Quick Heal detects and prevents encryption activity performed by the Jaff ransomware.

Fig 11

How to stay protected against ransomware attacks

  1. Never open email attachments with double extensions such as .doc.js and doc.vbs – these are most likely to contain malware. Set ‘systems folder’ options to show extensions for known file types, to identify such files.
  2. Ensure all Microsoft documents including PDF files which are received as email attachments are opened in ‘Protected View’. Click here to know about Protected View.
  3. Never download attachments or click on links in emails received from unknown, unwanted or unexpected sources.
  4. Don’t respond to pop-up notifications or alerts while visiting unfamiliar websites.
  5. Apply all recommended security updates to your OS, software, and Internet browsers, if not already.
  6. Have an antivirus software installed on your computer that efficiently blocks spam and malicious emails, and automatically restricts access to malicious websites.



Subject Matter Expert
Smita Kuyte | Quick Heal Security Labs

Quick Heal Security Labs

Quick Heal Security Labs

No Comments, Be The First!

Your email address will not be published.