“IMPORTANT – Document From Ofcom Spectrum Licensing” docm virus spam

More spam today. Even though the spam content seems very targeted at radio stations or those in the radio industry it was also sent to schools and probably many other loctions.

From: Spectrum.licensing@ofcom.org.uk
Subject: IMPORTANT – Document From Ofcom Spectrum Licensing
Attachment: OFCOM_REN04_20150715_0976659.docm
Message Id: <180dc2be-545b-4fc3-be91-d5629fd52038@WOK-INTRA-EXC01.intra.ofcom.local>

Dear Sir/Madam,

Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.

Please read the document carefully and keep it for future reference.

If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee’s responsibility to ensure all information we hold is correct and current.

If you have any enquiries relating to this document, please email

Yours faithfully,
Ofcom Spectrum Licensing
Riverside House
2a Southwark Bridge Road
London SE1 9HA

Phone: 020 7981 3131
Fax: 020 7981 3235
Textphone: 020 7981 3043

The attachment is SHA256 71c76d5248f0a8cfb4c9c3b82e358eff0f6aba9619023e55f530825d71417336
VirusTotal Report

When run with macros enabled it downloaded payload from:

SHA256 6b668ffa97a00d9e4d6ed0be6ae5dfbd191bb4201bb49e34d23c44a430c16ee6

Which then, in my case, communicated with

Then probably detected my virtual machine and quit.

The SSL certificate used on was created 27th July 2015 and has the following wording.. less entertaining than the previous ones.

CN = catttboret.tp
OU = bushes
O = clan
L = Springfield
S = TX
C = US
Thumbprint: ‎df78b019bc298bc97217bee62327fcc6970ae454

This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to “IMPORTANT – Document From Ofcom Spectrum Licensing” docm virus spam

  1. Pingback: “Booking Confirmation – Accumentia (16/9/15)” .doc macro attachment virus | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s