More spam today. Even though the spam content seems very targeted at radio stations or those in the radio industry it was also sent to schools and probably many other loctions.
Subject: IMPORTANT – Document From Ofcom Spectrum Licensing
Message Id: <180dc2be-545b-4fc3-be91-d5629fd52038@WOK-INTRA-EXC01.intra.ofcom.local>
Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.
Please read the document carefully and keep it for future reference.
If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee’s responsibility to ensure all information we hold is correct and current.
If you have any enquiries relating to this document, please email
Ofcom Spectrum Licensing
2a Southwark Bridge Road
London SE1 9HA
Phone: 020 7981 3131
Fax: 020 7981 3235
Textphone: 020 7981 3043
The attachment is SHA256 71c76d5248f0a8cfb4c9c3b82e358eff0f6aba9619023e55f530825d71417336
When run with macros enabled it downloaded payload from:
Which then, in my case, communicated with
Then probably detected my virtual machine and quit.
The SSL certificate used on https://22.214.171.124:448/ was created 27th July 2015 and has the following wording.. less entertaining than the previous ones.
CN = catttboret.tp
OU = bushes
O = clan
L = Springfield
S = TX
C = US