2017-05-16 Malspam Emailing:#####.pdf.pdf
2017-05-16 Malspam Emailing:#####.pdf.pdf
AI Analysis
Technical Summary
The provided information describes a malspam campaign dated May 16, 2017, distributing emails with attachments named in the pattern "#####.pdf.pdf". This campaign is associated with the Jaff ransomware family, a known ransomware strain that encrypts victims' files and demands payment for decryption. The malspam emails likely contain malicious PDF attachments or links that, when opened, execute the ransomware payload or drop artifacts facilitating its execution. Although specific technical details are sparse, the categorization under "artifacts dropped" and "network activity" suggests the malware performs actions such as dropping additional malicious files and communicating with command and control servers to receive instructions or encryption keys. The campaign does not have any known exploits in the wild or patches available, indicating it relies on social engineering and user interaction rather than exploiting software vulnerabilities. The severity is marked as low in the source, but given the ransomware nature, the impact can be significant if successful. The lack of affected versions and detailed technical indicators limits precise technical analysis, but the association with Jaff ransomware implies typical ransomware behaviors: file encryption, ransom note deployment, and potential lateral movement within networks.
Potential Impact
For European organizations, this threat poses a risk primarily through phishing and social engineering vectors. If users open the malicious PDF attachments, the ransomware can encrypt critical files, leading to operational disruption, data loss, and financial costs related to ransom payments or recovery efforts. Sectors with high reliance on data availability and integrity, such as healthcare, finance, and critical infrastructure, could face severe consequences. Additionally, the presence of network activity indicates potential for spreading within corporate networks, increasing the scope of impact. The campaign's low severity rating may reflect limited distribution or effectiveness at the time, but ransomware remains a persistent threat in Europe, where organizations are often targeted due to the high value of data and regulatory environments that emphasize data protection. The absence of patches means mitigation relies heavily on user awareness and preventive controls. The threat could also lead to reputational damage and regulatory penalties under GDPR if personal data is affected.
Mitigation Recommendations
To mitigate this threat, European organizations should implement targeted measures beyond generic advice: 1) Enhance email filtering to detect and quarantine suspicious attachments, especially those with double extensions like ".pdf.pdf". 2) Conduct regular, scenario-based phishing awareness training emphasizing the risks of opening unexpected attachments and verifying sender authenticity. 3) Deploy endpoint detection and response (EDR) solutions capable of identifying ransomware behaviors such as unauthorized file encryption and suspicious process spawning. 4) Implement strict application whitelisting to prevent execution of unauthorized binaries dropped by malicious PDFs. 5) Enforce network segmentation to limit lateral movement if ransomware executes. 6) Maintain offline, immutable backups tested regularly to ensure rapid recovery without paying ransom. 7) Monitor network traffic for unusual outbound connections indicative of command and control communication. 8) Establish incident response plans specifically addressing ransomware scenarios, including legal and communication strategies. These focused steps will reduce the likelihood of successful infection and limit damage if an attack occurs.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
Indicators of Compromise
- hash: ed8ed2f15cc120d56101f9278d2b7a90
- hash: 3564428de04f35a9a9c7b1828d60edce
- hash: e79e31c6caee2d64b25588337e979eab
- hash: c2a760c6461449ac1d5a5538242bed11
- hash: 2b2c0737949a56528b0834f642ff2635
- hash: fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e
- url: http://beautyandearth.com/Nbiyure3
- domain: beautyandearth.com
- ip: 108.167.156.28
- url: http://biarritzru.com/Nbiyure3
- domain: biarritzru.com
- ip: 81.177.141.58
- url: http://bioferme.biz/Nbiyure3
- domain: bioferme.biz
- ip: 219.118.71.133
- url: http://daweizhi.com/Nbiyure3
- domain: daweizhi.com
- ip: 115.29.111.183
- url: http://dodawanie.com/Nbiyure3
- domain: dodawanie.com
- ip: 185.23.21.13
- ip: 185.23.21.123
- url: http://herrossoidffr6644qa.top/af/Nbiyure3
- domain: herrossoidffr6644qa.top
- ip: 34.209.214.237
- url: http://jomoba35.com/Nbiyure3
- domain: jomoba35.com
- ip: 143.95.239.78
- url: http://joshcomeauxhair.com/Nbiyure3
- domain: joshcomeauxhair.com
- ip: 107.180.13.247
- url: http://jsplast.ru/Nbiyure3
- domain: jsplast.ru
- ip: 194.58.119.16
- url: http://juvadent.de/Nbiyure3
- domain: juvadent.de
- ip: 80.150.6.143
- url: http://opearl.net/Nbiyure3
- domain: opearl.net
- ip: 120.76.230.45
- url: http://outdoor-sauerland.de/Nbiyure3
- domain: outdoor-sauerland.de
- ip: 81.169.145.172
- url: http://personalizar.net/Nbiyure3
- domain: personalizar.net
- ip: 81.88.57.70
- url: http://playmindltd.com/Nbiyure3
- domain: playmindltd.com
- ip: 103.63.135.197
- url: http://reefclub.ru/Nbiyure3
- domain: reefclub.ru
- ip: 79.137.163.53
- url: http://ripasso.nl/Nbiyure3
- domain: ripasso.nl
- ip: 109.70.4.32
- url: http://sjffonrvcik45bd.info/af/Nbiyure3
- domain: sjffonrvcik45bd.info
- url: http://tidytrend.com/Nbiyure3
- domain: tidytrend.com
- ip: 107.180.26.179
- url: http://titanmachinery.com.au/Nbiyure3
- domain: titanmachinery.com.au
- ip: 101.0.99.38
- url: http://tomcarservice.it/Nbiyure3
- domain: tomcarservice.it
- ip: 92.245.188.95
- url: http://valpit.ru/Nbiyure3
- domain: valpit.ru
- ip: 109.70.26.37
- ip: 194.85.61.76
- url: http://ventrust.ro/Nbiyure3
- domain: ventrust.ro
- ip: 176.223.209.5
- url: http://vipan-photography.com/Nbiyure3
- domain: vipan-photography.com
- ip: 188.65.115.35
- url: http://wizbam.com/Nbiyure3
- domain: wizbam.com
- ip: 107.180.48.250
- url: http://eesiiuroffde445.com/a5/
- domain: eesiiuroffde445.com
- ip: 47.91.107.213
- link: https://www.virustotal.com/en/file/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e/analysis/1494930087/
- link: https://malwr.com/submission/status/MmY0ZTQ2ODQzZjNhNDlkNzkyZjJiNDUwZmUzMmRjMGY/
- link: https://www.hybrid-analysis.com/sample/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e?environmentId=100
- url: wizbam.com/Nbiyure3
- url: eesiiuroffde445.com/a5/
- hash: 2c8ea5c1957ab9ccf4afd255aeea47f13e278814
- link: https://www.virustotal.com/file/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e/analysis/1494948925/
- hash: 387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092
- hash: 59684c6261afc698c0f6a46658986f0268f4c5a0
- link: https://www.virustotal.com/file/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092/analysis/1495000686/
- hash: aca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852
- hash: f0105d132d880d602b37912d93abb712b2b281d8
- link: https://www.virustotal.com/file/aca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852/analysis/1494969979/
- hash: ae7f1496e098b24ed52f3796b2751e31300c1f414cdb9852ccb42dfdc261c98d
- hash: a081c02d29b46053c1db0d7ec09012e438e091dc
- link: https://www.virustotal.com/file/ae7f1496e098b24ed52f3796b2751e31300c1f414cdb9852ccb42dfdc261c98d/analysis/1495008698/
- hash: 04cdba9177bcb633604469e09c5d9348719706ea86f3cdd0aaaf5cb4c6b0dece
- hash: c6bce7cb230669ce15ec0513e4769bf82f94f1f2
- link: https://www.virustotal.com/file/04cdba9177bcb633604469e09c5d9348719706ea86f3cdd0aaaf5cb4c6b0dece/analysis/1494994547/
2017-05-16 Malspam Emailing:#####.pdf.pdf
Description
2017-05-16 Malspam Emailing:#####.pdf.pdf
AI-Powered Analysis
Technical Analysis
The provided information describes a malspam campaign dated May 16, 2017, distributing emails with attachments named in the pattern "#####.pdf.pdf". This campaign is associated with the Jaff ransomware family, a known ransomware strain that encrypts victims' files and demands payment for decryption. The malspam emails likely contain malicious PDF attachments or links that, when opened, execute the ransomware payload or drop artifacts facilitating its execution. Although specific technical details are sparse, the categorization under "artifacts dropped" and "network activity" suggests the malware performs actions such as dropping additional malicious files and communicating with command and control servers to receive instructions or encryption keys. The campaign does not have any known exploits in the wild or patches available, indicating it relies on social engineering and user interaction rather than exploiting software vulnerabilities. The severity is marked as low in the source, but given the ransomware nature, the impact can be significant if successful. The lack of affected versions and detailed technical indicators limits precise technical analysis, but the association with Jaff ransomware implies typical ransomware behaviors: file encryption, ransom note deployment, and potential lateral movement within networks.
Potential Impact
For European organizations, this threat poses a risk primarily through phishing and social engineering vectors. If users open the malicious PDF attachments, the ransomware can encrypt critical files, leading to operational disruption, data loss, and financial costs related to ransom payments or recovery efforts. Sectors with high reliance on data availability and integrity, such as healthcare, finance, and critical infrastructure, could face severe consequences. Additionally, the presence of network activity indicates potential for spreading within corporate networks, increasing the scope of impact. The campaign's low severity rating may reflect limited distribution or effectiveness at the time, but ransomware remains a persistent threat in Europe, where organizations are often targeted due to the high value of data and regulatory environments that emphasize data protection. The absence of patches means mitigation relies heavily on user awareness and preventive controls. The threat could also lead to reputational damage and regulatory penalties under GDPR if personal data is affected.
Mitigation Recommendations
To mitigate this threat, European organizations should implement targeted measures beyond generic advice: 1) Enhance email filtering to detect and quarantine suspicious attachments, especially those with double extensions like ".pdf.pdf". 2) Conduct regular, scenario-based phishing awareness training emphasizing the risks of opening unexpected attachments and verifying sender authenticity. 3) Deploy endpoint detection and response (EDR) solutions capable of identifying ransomware behaviors such as unauthorized file encryption and suspicious process spawning. 4) Implement strict application whitelisting to prevent execution of unauthorized binaries dropped by malicious PDFs. 5) Enforce network segmentation to limit lateral movement if ransomware executes. 6) Maintain offline, immutable backups tested regularly to ensure rapid recovery without paying ransom. 7) Monitor network traffic for unusual outbound connections indicative of command and control communication. 8) Establish incident response plans specifically addressing ransomware scenarios, including legal and communication strategies. These focused steps will reduce the likelihood of successful infection and limit damage if an attack occurs.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 591bfe00-bb40-4958-9c33-4b87950d210f
- Original Timestamp
- 1751529720
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashed8ed2f15cc120d56101f9278d2b7a90 | — | |
hash3564428de04f35a9a9c7b1828d60edce | — | |
hashe79e31c6caee2d64b25588337e979eab | — | |
hashc2a760c6461449ac1d5a5538242bed11 | — | |
hash2b2c0737949a56528b0834f642ff2635 | — | |
hashfabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e | — | |
hash2c8ea5c1957ab9ccf4afd255aeea47f13e278814 | - Xchecked via VT: fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e | |
hash387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092 | - Xchecked via VT: c2a760c6461449ac1d5a5538242bed11 | |
hash59684c6261afc698c0f6a46658986f0268f4c5a0 | - Xchecked via VT: c2a760c6461449ac1d5a5538242bed11 | |
hashaca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852 | - Xchecked via VT: e79e31c6caee2d64b25588337e979eab | |
hashf0105d132d880d602b37912d93abb712b2b281d8 | - Xchecked via VT: e79e31c6caee2d64b25588337e979eab | |
hashae7f1496e098b24ed52f3796b2751e31300c1f414cdb9852ccb42dfdc261c98d | - Xchecked via VT: 3564428de04f35a9a9c7b1828d60edce | |
hasha081c02d29b46053c1db0d7ec09012e438e091dc | - Xchecked via VT: 3564428de04f35a9a9c7b1828d60edce | |
hash04cdba9177bcb633604469e09c5d9348719706ea86f3cdd0aaaf5cb4c6b0dece | - Xchecked via VT: ed8ed2f15cc120d56101f9278d2b7a90 | |
hashc6bce7cb230669ce15ec0513e4769bf82f94f1f2 | - Xchecked via VT: ed8ed2f15cc120d56101f9278d2b7a90 |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://beautyandearth.com/Nbiyure3 | — | |
urlhttp://biarritzru.com/Nbiyure3 | — | |
urlhttp://bioferme.biz/Nbiyure3 | — | |
urlhttp://daweizhi.com/Nbiyure3 | — | |
urlhttp://dodawanie.com/Nbiyure3 | — | |
urlhttp://herrossoidffr6644qa.top/af/Nbiyure3 | — | |
urlhttp://jomoba35.com/Nbiyure3 | — | |
urlhttp://joshcomeauxhair.com/Nbiyure3 | — | |
urlhttp://jsplast.ru/Nbiyure3 | — | |
urlhttp://juvadent.de/Nbiyure3 | — | |
urlhttp://opearl.net/Nbiyure3 | — | |
urlhttp://outdoor-sauerland.de/Nbiyure3 | — | |
urlhttp://personalizar.net/Nbiyure3 | — | |
urlhttp://playmindltd.com/Nbiyure3 | — | |
urlhttp://reefclub.ru/Nbiyure3 | — | |
urlhttp://ripasso.nl/Nbiyure3 | — | |
urlhttp://sjffonrvcik45bd.info/af/Nbiyure3 | — | |
urlhttp://tidytrend.com/Nbiyure3 | — | |
urlhttp://titanmachinery.com.au/Nbiyure3 | — | |
urlhttp://tomcarservice.it/Nbiyure3 | — | |
urlhttp://valpit.ru/Nbiyure3 | — | |
urlhttp://ventrust.ro/Nbiyure3 | — | |
urlhttp://vipan-photography.com/Nbiyure3 | — | |
urlhttp://wizbam.com/Nbiyure3 | — | |
urlhttp://eesiiuroffde445.com/a5/ | — | |
urlwizbam.com/Nbiyure3 | — | |
urleesiiuroffde445.com/a5/ | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbeautyandearth.com | — | |
domainbiarritzru.com | — | |
domainbioferme.biz | — | |
domaindaweizhi.com | — | |
domaindodawanie.com | — | |
domainherrossoidffr6644qa.top | — | |
domainjomoba35.com | — | |
domainjoshcomeauxhair.com | — | |
domainjsplast.ru | — | |
domainjuvadent.de | — | |
domainopearl.net | — | |
domainoutdoor-sauerland.de | — | |
domainpersonalizar.net | — | |
domainplaymindltd.com | — | |
domainreefclub.ru | — | |
domainripasso.nl | — | |
domainsjffonrvcik45bd.info | — | |
domaintidytrend.com | — | |
domaintitanmachinery.com.au | — | |
domaintomcarservice.it | — | |
domainvalpit.ru | — | |
domainventrust.ro | — | |
domainvipan-photography.com | — | |
domainwizbam.com | — | |
domaineesiiuroffde445.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip108.167.156.28 | beautyandearth.com | |
ip81.177.141.58 | biarritzru.com | |
ip219.118.71.133 | bioferme.biz | |
ip115.29.111.183 | daweizhi.com | |
ip185.23.21.13 | dodawanie.com | |
ip185.23.21.123 | dodawanie.com | |
ip34.209.214.237 | herrossoidffr6644qa.top | |
ip143.95.239.78 | jomoba35.com | |
ip107.180.13.247 | joshcomeauxhair.com | |
ip194.58.119.16 | jsplast.ru | |
ip80.150.6.143 | juvadent.de | |
ip120.76.230.45 | opearl.net | |
ip81.169.145.172 | outdoor-sauerland.de | |
ip81.88.57.70 | personalizar.net | |
ip103.63.135.197 | playmindltd.com | |
ip79.137.163.53 | reefclub.ru | |
ip109.70.4.32 | ripasso.nl | |
ip107.180.26.179 | tidytrend.com | |
ip101.0.99.38 | titanmachinery.com.au | |
ip92.245.188.95 | tomcarservice.it | |
ip109.70.26.37 | valpit.ru | |
ip194.85.61.76 | valpit.ru | |
ip176.223.209.5 | ventrust.ro | |
ip188.65.115.35 | vipan-photography.com | |
ip107.180.48.250 | wizbam.com | |
ip47.91.107.213 | eesiiuroffde445.com |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.virustotal.com/en/file/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e/analysis/1494930087/ | — | |
linkhttps://malwr.com/submission/status/MmY0ZTQ2ODQzZjNhNDlkNzkyZjJiNDUwZmUzMmRjMGY/ | — | |
linkhttps://www.hybrid-analysis.com/sample/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e?environmentId=100 | — | |
linkhttps://www.virustotal.com/file/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e/analysis/1494948925/ | - Xchecked via VT: fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e | |
linkhttps://www.virustotal.com/file/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092/analysis/1495000686/ | - Xchecked via VT: c2a760c6461449ac1d5a5538242bed11 | |
linkhttps://www.virustotal.com/file/aca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852/analysis/1494969979/ | - Xchecked via VT: e79e31c6caee2d64b25588337e979eab | |
linkhttps://www.virustotal.com/file/ae7f1496e098b24ed52f3796b2751e31300c1f414cdb9852ccb42dfdc261c98d/analysis/1495008698/ | - Xchecked via VT: 3564428de04f35a9a9c7b1828d60edce | |
linkhttps://www.virustotal.com/file/04cdba9177bcb633604469e09c5d9348719706ea86f3cdd0aaaf5cb4c6b0dece/analysis/1494994547/ | - Xchecked via VT: ed8ed2f15cc120d56101f9278d2b7a90 |
Threat ID: 686680ff6f40f0eb72968329
Added to database: 7/3/2025, 1:09:19 PM
Last enriched: 7/20/2025, 9:08:05 PM
Last updated: 8/21/2025, 11:44:30 AM
Views: 35
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.