2017-05-16 Malspam Emailing:#####.pdf.pdf
2017-05-16 Malspam Emailing:#####.pdf.pdf
AI Analysis
Technical Summary
The provided information describes a malspam campaign dated May 16, 2017, distributing emails with attachments named in the pattern "#####.pdf.pdf". This campaign is associated with the Jaff ransomware family, a known ransomware strain that encrypts victims' files and demands payment for decryption. The emails likely contain malicious PDF attachments or files masquerading as PDFs, which when opened, execute or drop ransomware payloads onto the victim's system. The campaign is characterized by artifacts dropped on infected systems and network activity indicative of ransomware behavior, such as communication with command and control servers for key exchange or payment instructions. Although specific technical details such as exploit vectors or vulnerabilities exploited are not provided, the campaign's modus operandi aligns with typical ransomware distribution via phishing emails containing malicious attachments. No patches are available, and no known exploits in the wild are reported for this specific campaign, suggesting the infection vector relies on social engineering rather than software vulnerabilities. The severity is marked as low in the source, but given the ransomware association, the potential impact can be significant if successful. The lack of CVSS score and detailed technical indicators limits precise severity assessment, but the threat remains relevant due to the destructive nature of ransomware.
Potential Impact
For European organizations, this threat poses a risk primarily through successful phishing attempts leading to ransomware infection. The impact includes potential loss of data confidentiality and integrity due to file encryption, operational disruption from system downtime, and financial costs related to ransom payments and recovery efforts. Sectors with high reliance on data availability, such as healthcare, finance, and critical infrastructure, could face severe consequences. Additionally, the reputational damage and regulatory implications under GDPR for data breaches or loss could further exacerbate the impact. While the campaign dates back to 2017, similar ransomware distribution methods remain prevalent, and organizations with insufficient email security controls or user awareness are vulnerable. The low severity rating may reflect limited spread or effectiveness of this particular campaign, but the underlying ransomware threat remains a significant concern.
Mitigation Recommendations
To mitigate this threat, European organizations should implement advanced email filtering solutions capable of detecting and quarantining malicious attachments, especially those with suspicious double extensions like '.pdf.pdf'. User training programs must emphasize recognizing phishing emails and the risks of opening unexpected attachments. Endpoint protection platforms should be configured to detect ransomware behaviors and block execution of unauthorized scripts or binaries. Network segmentation can limit ransomware spread if infection occurs. Regular, tested backups stored offline or in immutable storage are critical to recovery without paying ransom. Organizations should also maintain updated threat intelligence feeds to identify emerging ransomware campaigns and indicators of compromise. Since no patches exist for this campaign, focus should be on prevention through user awareness, email hygiene, and robust endpoint defenses. Incident response plans should include ransomware-specific procedures to minimize downtime and data loss.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
Indicators of Compromise
- hash: ed8ed2f15cc120d56101f9278d2b7a90
- hash: 3564428de04f35a9a9c7b1828d60edce
- hash: e79e31c6caee2d64b25588337e979eab
- hash: c2a760c6461449ac1d5a5538242bed11
- hash: 2b2c0737949a56528b0834f642ff2635
- hash: fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e
- url: http://beautyandearth.com/Nbiyure3
- domain: beautyandearth.com
- ip: 108.167.156.28
- url: http://biarritzru.com/Nbiyure3
- domain: biarritzru.com
- ip: 81.177.141.58
- url: http://bioferme.biz/Nbiyure3
- domain: bioferme.biz
- ip: 219.118.71.133
- url: http://daweizhi.com/Nbiyure3
- domain: daweizhi.com
- ip: 115.29.111.183
- url: http://dodawanie.com/Nbiyure3
- domain: dodawanie.com
- ip: 185.23.21.13
- ip: 185.23.21.123
- url: http://herrossoidffr6644qa.top/af/Nbiyure3
- domain: herrossoidffr6644qa.top
- ip: 34.209.214.237
- url: http://jomoba35.com/Nbiyure3
- domain: jomoba35.com
- ip: 143.95.239.78
- url: http://joshcomeauxhair.com/Nbiyure3
- domain: joshcomeauxhair.com
- ip: 107.180.13.247
- url: http://jsplast.ru/Nbiyure3
- domain: jsplast.ru
- ip: 194.58.119.16
- url: http://juvadent.de/Nbiyure3
- domain: juvadent.de
- ip: 80.150.6.143
- url: http://opearl.net/Nbiyure3
- domain: opearl.net
- ip: 120.76.230.45
- url: http://outdoor-sauerland.de/Nbiyure3
- domain: outdoor-sauerland.de
- ip: 81.169.145.172
- url: http://personalizar.net/Nbiyure3
- domain: personalizar.net
- ip: 81.88.57.70
- url: http://playmindltd.com/Nbiyure3
- domain: playmindltd.com
- ip: 103.63.135.197
- url: http://reefclub.ru/Nbiyure3
- domain: reefclub.ru
- ip: 79.137.163.53
- url: http://ripasso.nl/Nbiyure3
- domain: ripasso.nl
- ip: 109.70.4.32
- url: http://sjffonrvcik45bd.info/af/Nbiyure3
- domain: sjffonrvcik45bd.info
- url: http://tidytrend.com/Nbiyure3
- domain: tidytrend.com
- ip: 107.180.26.179
- url: http://titanmachinery.com.au/Nbiyure3
- domain: titanmachinery.com.au
- ip: 101.0.99.38
- url: http://tomcarservice.it/Nbiyure3
- domain: tomcarservice.it
- ip: 92.245.188.95
- url: http://valpit.ru/Nbiyure3
- domain: valpit.ru
- ip: 109.70.26.37
- ip: 194.85.61.76
- url: http://ventrust.ro/Nbiyure3
- domain: ventrust.ro
- ip: 176.223.209.5
- url: http://vipan-photography.com/Nbiyure3
- domain: vipan-photography.com
- ip: 188.65.115.35
- url: http://wizbam.com/Nbiyure3
- domain: wizbam.com
- ip: 107.180.48.250
- url: http://eesiiuroffde445.com/a5/
- domain: eesiiuroffde445.com
- ip: 47.91.107.213
- link: https://www.virustotal.com/en/file/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e/analysis/1494930087/
- link: https://malwr.com/submission/status/MmY0ZTQ2ODQzZjNhNDlkNzkyZjJiNDUwZmUzMmRjMGY/
- link: https://www.hybrid-analysis.com/sample/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e?environmentId=100
- url: wizbam.com/Nbiyure3
- url: eesiiuroffde445.com/a5/
- hash: 2c8ea5c1957ab9ccf4afd255aeea47f13e278814
- link: https://www.virustotal.com/file/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e/analysis/1494948925/
- hash: 387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092
- hash: 59684c6261afc698c0f6a46658986f0268f4c5a0
- link: https://www.virustotal.com/file/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092/analysis/1495000686/
- hash: aca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852
- hash: f0105d132d880d602b37912d93abb712b2b281d8
- link: https://www.virustotal.com/file/aca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852/analysis/1494969979/
- hash: ae7f1496e098b24ed52f3796b2751e31300c1f414cdb9852ccb42dfdc261c98d
- hash: a081c02d29b46053c1db0d7ec09012e438e091dc
- link: https://www.virustotal.com/file/ae7f1496e098b24ed52f3796b2751e31300c1f414cdb9852ccb42dfdc261c98d/analysis/1495008698/
- hash: 04cdba9177bcb633604469e09c5d9348719706ea86f3cdd0aaaf5cb4c6b0dece
- hash: c6bce7cb230669ce15ec0513e4769bf82f94f1f2
- link: https://www.virustotal.com/file/04cdba9177bcb633604469e09c5d9348719706ea86f3cdd0aaaf5cb4c6b0dece/analysis/1494994547/
2017-05-16 Malspam Emailing:#####.pdf.pdf
Description
2017-05-16 Malspam Emailing:#####.pdf.pdf
AI-Powered Analysis
Technical Analysis
The provided information describes a malspam campaign dated May 16, 2017, distributing emails with attachments named in the pattern "#####.pdf.pdf". This campaign is associated with the Jaff ransomware family, a known ransomware strain that encrypts victims' files and demands payment for decryption. The emails likely contain malicious PDF attachments or files masquerading as PDFs, which when opened, execute or drop ransomware payloads onto the victim's system. The campaign is characterized by artifacts dropped on infected systems and network activity indicative of ransomware behavior, such as communication with command and control servers for key exchange or payment instructions. Although specific technical details such as exploit vectors or vulnerabilities exploited are not provided, the campaign's modus operandi aligns with typical ransomware distribution via phishing emails containing malicious attachments. No patches are available, and no known exploits in the wild are reported for this specific campaign, suggesting the infection vector relies on social engineering rather than software vulnerabilities. The severity is marked as low in the source, but given the ransomware association, the potential impact can be significant if successful. The lack of CVSS score and detailed technical indicators limits precise severity assessment, but the threat remains relevant due to the destructive nature of ransomware.
Potential Impact
For European organizations, this threat poses a risk primarily through successful phishing attempts leading to ransomware infection. The impact includes potential loss of data confidentiality and integrity due to file encryption, operational disruption from system downtime, and financial costs related to ransom payments and recovery efforts. Sectors with high reliance on data availability, such as healthcare, finance, and critical infrastructure, could face severe consequences. Additionally, the reputational damage and regulatory implications under GDPR for data breaches or loss could further exacerbate the impact. While the campaign dates back to 2017, similar ransomware distribution methods remain prevalent, and organizations with insufficient email security controls or user awareness are vulnerable. The low severity rating may reflect limited spread or effectiveness of this particular campaign, but the underlying ransomware threat remains a significant concern.
Mitigation Recommendations
To mitigate this threat, European organizations should implement advanced email filtering solutions capable of detecting and quarantining malicious attachments, especially those with suspicious double extensions like '.pdf.pdf'. User training programs must emphasize recognizing phishing emails and the risks of opening unexpected attachments. Endpoint protection platforms should be configured to detect ransomware behaviors and block execution of unauthorized scripts or binaries. Network segmentation can limit ransomware spread if infection occurs. Regular, tested backups stored offline or in immutable storage are critical to recovery without paying ransom. Organizations should also maintain updated threat intelligence feeds to identify emerging ransomware campaigns and indicators of compromise. Since no patches exist for this campaign, focus should be on prevention through user awareness, email hygiene, and robust endpoint defenses. Incident response plans should include ransomware-specific procedures to minimize downtime and data loss.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 591bfe00-bb40-4958-9c33-4b87950d210f
- Original Timestamp
- 1751529720
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashed8ed2f15cc120d56101f9278d2b7a90 | — | |
hash3564428de04f35a9a9c7b1828d60edce | — | |
hashe79e31c6caee2d64b25588337e979eab | — | |
hashc2a760c6461449ac1d5a5538242bed11 | — | |
hash2b2c0737949a56528b0834f642ff2635 | — | |
hashfabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e | — | |
hash2c8ea5c1957ab9ccf4afd255aeea47f13e278814 | - Xchecked via VT: fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e | |
hash387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092 | - Xchecked via VT: c2a760c6461449ac1d5a5538242bed11 | |
hash59684c6261afc698c0f6a46658986f0268f4c5a0 | - Xchecked via VT: c2a760c6461449ac1d5a5538242bed11 | |
hashaca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852 | - Xchecked via VT: e79e31c6caee2d64b25588337e979eab | |
hashf0105d132d880d602b37912d93abb712b2b281d8 | - Xchecked via VT: e79e31c6caee2d64b25588337e979eab | |
hashae7f1496e098b24ed52f3796b2751e31300c1f414cdb9852ccb42dfdc261c98d | - Xchecked via VT: 3564428de04f35a9a9c7b1828d60edce | |
hasha081c02d29b46053c1db0d7ec09012e438e091dc | - Xchecked via VT: 3564428de04f35a9a9c7b1828d60edce | |
hash04cdba9177bcb633604469e09c5d9348719706ea86f3cdd0aaaf5cb4c6b0dece | - Xchecked via VT: ed8ed2f15cc120d56101f9278d2b7a90 | |
hashc6bce7cb230669ce15ec0513e4769bf82f94f1f2 | - Xchecked via VT: ed8ed2f15cc120d56101f9278d2b7a90 |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://beautyandearth.com/Nbiyure3 | — | |
urlhttp://biarritzru.com/Nbiyure3 | — | |
urlhttp://bioferme.biz/Nbiyure3 | — | |
urlhttp://daweizhi.com/Nbiyure3 | — | |
urlhttp://dodawanie.com/Nbiyure3 | — | |
urlhttp://herrossoidffr6644qa.top/af/Nbiyure3 | — | |
urlhttp://jomoba35.com/Nbiyure3 | — | |
urlhttp://joshcomeauxhair.com/Nbiyure3 | — | |
urlhttp://jsplast.ru/Nbiyure3 | — | |
urlhttp://juvadent.de/Nbiyure3 | — | |
urlhttp://opearl.net/Nbiyure3 | — | |
urlhttp://outdoor-sauerland.de/Nbiyure3 | — | |
urlhttp://personalizar.net/Nbiyure3 | — | |
urlhttp://playmindltd.com/Nbiyure3 | — | |
urlhttp://reefclub.ru/Nbiyure3 | — | |
urlhttp://ripasso.nl/Nbiyure3 | — | |
urlhttp://sjffonrvcik45bd.info/af/Nbiyure3 | — | |
urlhttp://tidytrend.com/Nbiyure3 | — | |
urlhttp://titanmachinery.com.au/Nbiyure3 | — | |
urlhttp://tomcarservice.it/Nbiyure3 | — | |
urlhttp://valpit.ru/Nbiyure3 | — | |
urlhttp://ventrust.ro/Nbiyure3 | — | |
urlhttp://vipan-photography.com/Nbiyure3 | — | |
urlhttp://wizbam.com/Nbiyure3 | — | |
urlhttp://eesiiuroffde445.com/a5/ | — | |
urlwizbam.com/Nbiyure3 | — | |
urleesiiuroffde445.com/a5/ | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbeautyandearth.com | — | |
domainbiarritzru.com | — | |
domainbioferme.biz | — | |
domaindaweizhi.com | — | |
domaindodawanie.com | — | |
domainherrossoidffr6644qa.top | — | |
domainjomoba35.com | — | |
domainjoshcomeauxhair.com | — | |
domainjsplast.ru | — | |
domainjuvadent.de | — | |
domainopearl.net | — | |
domainoutdoor-sauerland.de | — | |
domainpersonalizar.net | — | |
domainplaymindltd.com | — | |
domainreefclub.ru | — | |
domainripasso.nl | — | |
domainsjffonrvcik45bd.info | — | |
domaintidytrend.com | — | |
domaintitanmachinery.com.au | — | |
domaintomcarservice.it | — | |
domainvalpit.ru | — | |
domainventrust.ro | — | |
domainvipan-photography.com | — | |
domainwizbam.com | — | |
domaineesiiuroffde445.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip108.167.156.28 | beautyandearth.com | |
ip81.177.141.58 | biarritzru.com | |
ip219.118.71.133 | bioferme.biz | |
ip115.29.111.183 | daweizhi.com | |
ip185.23.21.13 | dodawanie.com | |
ip185.23.21.123 | dodawanie.com | |
ip34.209.214.237 | herrossoidffr6644qa.top | |
ip143.95.239.78 | jomoba35.com | |
ip107.180.13.247 | joshcomeauxhair.com | |
ip194.58.119.16 | jsplast.ru | |
ip80.150.6.143 | juvadent.de | |
ip120.76.230.45 | opearl.net | |
ip81.169.145.172 | outdoor-sauerland.de | |
ip81.88.57.70 | personalizar.net | |
ip103.63.135.197 | playmindltd.com | |
ip79.137.163.53 | reefclub.ru | |
ip109.70.4.32 | ripasso.nl | |
ip107.180.26.179 | tidytrend.com | |
ip101.0.99.38 | titanmachinery.com.au | |
ip92.245.188.95 | tomcarservice.it | |
ip109.70.26.37 | valpit.ru | |
ip194.85.61.76 | valpit.ru | |
ip176.223.209.5 | ventrust.ro | |
ip188.65.115.35 | vipan-photography.com | |
ip107.180.48.250 | wizbam.com | |
ip47.91.107.213 | eesiiuroffde445.com |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.virustotal.com/en/file/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e/analysis/1494930087/ | — | |
linkhttps://malwr.com/submission/status/MmY0ZTQ2ODQzZjNhNDlkNzkyZjJiNDUwZmUzMmRjMGY/ | — | |
linkhttps://www.hybrid-analysis.com/sample/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e?environmentId=100 | — | |
linkhttps://www.virustotal.com/file/fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e/analysis/1494948925/ | - Xchecked via VT: fabc5b9309a1ffcbf9028cd01cf440edbd654c2faaacf7e64e5a39d63775a33e | |
linkhttps://www.virustotal.com/file/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092/analysis/1495000686/ | - Xchecked via VT: c2a760c6461449ac1d5a5538242bed11 | |
linkhttps://www.virustotal.com/file/aca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852/analysis/1494969979/ | - Xchecked via VT: e79e31c6caee2d64b25588337e979eab | |
linkhttps://www.virustotal.com/file/ae7f1496e098b24ed52f3796b2751e31300c1f414cdb9852ccb42dfdc261c98d/analysis/1495008698/ | - Xchecked via VT: 3564428de04f35a9a9c7b1828d60edce | |
linkhttps://www.virustotal.com/file/04cdba9177bcb633604469e09c5d9348719706ea86f3cdd0aaaf5cb4c6b0dece/analysis/1494994547/ | - Xchecked via VT: ed8ed2f15cc120d56101f9278d2b7a90 |
Threat ID: 686680ff6f40f0eb72968329
Added to database: 7/3/2025, 1:09:19 PM
Last enriched: 7/3/2025, 1:24:33 PM
Last updated: 7/6/2025, 12:13:54 AM
Views: 10
Related Threats
New Phishing Attacks Abuse Excel Internet Query Files
MediumThreatFox IOCs for 2025-07-04
MediumThreatFox IOCs for 2025-07-03
MediumThreatFox IOCs for 2025-07-02
MediumThreatFox IOCs for 2025-07-01
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.