Attachment Inception: How PDF Attachments Spread JAFF Ransomware

May 29, 2017

A new trick utilizing PDF attachments is enabling a widespread bot network to become even more widespread. The trick, which cleverly conscripts PDF files to spread malware, has been used to great effect by the hackers behind the Necurs botnet. Long-known and long-used by hackers, Necurs is an especially versatile botnet that is able to download and execute modules on demand.

Necurs is mostly known for its spam capabilities, looping newly infected machines into service in order to power a worldwide network for the distribution of spam. As part of the Necurs botnet, each infected machine is given specific instructions by the bot-master, including:

  • A list of victims to send to emails to
  • A draft to be send; including the message body, subject and malicious attachments.

These malicious attachments, once opened (the socially engineered e-mail message and title make sure that that happens) execute their code, fetching malware (the specific one depends on the campaign being run) and installing it on when the recipients of the message open the attachment – further expanding the botnet network.

Now, hackers have come up with a new, nefarious way to expand the Necurs network – via a PDF attachment that contains a malicious attachment, which will install ransomware on a targeted victim’s machine.

This is what it looks like

Upon opening the PDF, it “kindly” asks you to open an attachment from within the PDF file.

This attachment turns out to be a DOCM file, with macros in it. The DOCM file utilizes social engineering to convince you to activate the macros. In the figure below, the DOCM file is trying to get the user to click the “Enable Content” button which seems harmless but in fact, sets the macros loose. These macros, when enabled, initiate the infection sequence which delivers the JAFF ransomware to the machine.

To top it all off, the macros don’t fetch the actual malware (as a PE file). In fact, the macros download a TXT file which is then decrypted to reveal itself in its true form – the JAFF executable itself. The point of that trick is to make it harder for security vendors and researchers to intercept, analyze and block the executable.


This latest trick is a truly sophisticated – and dangerous – one. Most of the security solutions available today are not capable of scanning PDF attachments – so files that use this trick are almost certain to be allowed in.

As with all malicious attachments, awareness is key. Users need to pay attention to incoming emails and think before they click! As spam campaigns get more and more sophisticated, the end-users must up their game in order to prevent the next disaster.

I’ve used Votiro’s API and uploaded the JAFF PDF sample. The safe document was retrieved in less than a second and as expected: the PDF, with its malicious DOCM attachment along with its macros, was cleaned automatically.


There is another alternative in fighting this scourge – using Content Disarm and Reconstruction technology (CDR), the only technology capable of scanning, analyzing, and purging document formats such as PDF and DOCM of bad code. In a CDR scenario, an attached file is carefully examined, dissected, and rebuilt from scratch – sans any non-standard or non-documented attributes, values, attachments and OLE objects. No signatures or AI-based learning required.