More spam today. Even though the spam content seems very targeted at radio stations or those in the radio industry it was also sent to schools and probably many other loctions.
From: Spectrum.licensing@ofcom.org.uk
Subject: IMPORTANT – Document From Ofcom Spectrum Licensing
Attachment: OFCOM_REN04_20150715_0976659.docm
Message Id: <180dc2be-545b-4fc3-be91-d5629fd52038@WOK-INTRA-EXC01.intra.ofcom.local>Dear Sir/Madam,
Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.
Please read the document carefully and keep it for future reference.
If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee’s responsibility to ensure all information we hold is correct and current.
If you have any enquiries relating to this document, please email
spectrum.licensing@ofcom.org.ukYours faithfully,
Ofcom Spectrum Licensing
Riverside House
2a Southwark Bridge Road
London SE1 9HAPhone: 020 7981 3131
Fax: 020 7981 3235
Textphone: 020 7981 3043
The attachment is SHA256 71c76d5248f0a8cfb4c9c3b82e358eff0f6aba9619023e55f530825d71417336
VirusTotal Report
When run with macros enabled it downloaded payload from:
http://hunde-detektive.de/75yh4/8g4gffr.exe
SHA256 6b668ffa97a00d9e4d6ed0be6ae5dfbd191bb4201bb49e34d23c44a430c16ee6
VirusTotal
Which then, in my case, communicated with
https://194.58.111.157:448/
Then probably detected my virtual machine and quit.
The SSL certificate used on https://194.58.111.157:448/ was created 27th July 2015 and has the following wording.. less entertaining than the previous ones.
CN = catttboret.tp
OU = bushes
O = clan
L = Springfield
S = TX
C = US
Thumbprint: df78b019bc298bc97217bee62327fcc6970ae454
Pingback: “Booking Confirmation – Accumentia (16/9/15)” .doc macro attachment virus | thecomputerperson