Sponsored by..

Wednesday 5 August 2015

Malware spam: "IMPORTANT - Document From Ofcom Spectrum Licensing" / "Spectrum.licensing@ofcom.org.uk"

This spam does not come from OFCOM but is instead a simple forgery with a malicious attachment.

From:    Spectrum.licensing@ofcom.org.uk
Date:    5 August 2015 at 07:46
Subject:    IMPORTANT - Document From Ofcom Spectrum Licensing


Dear Sir/Madam,

Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.

Please read the document carefully and keep it for future reference.

If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee's responsibility to ensure all information we hold is correct and current.

If you have any enquiries relating to this document, please email
spectrum.licensing@ofcom.org.uk

Yours faithfully,


Ofcom Spectrum Licensing
Riverside House
2a Southwark Bridge Road
London SE1 9HA

Phone: 020 7981 3131
Fax: 020 7981 3235
Textphone: 020 7981 3043 

In the sample I saw, the attachment was OFCOM_REN04_20150715_0976659.docm [VT 4/46] which contains this malicious macro [pastebin] which (according to this analysis) downloads a malware executable from:

naturallyconvenient.co.za/75yh4/8g4gffr.exe

This has a detection rate of 4/52 and automated analysis tools [1] [2] show it phoning home to:

194.58.111.157 (Reg.RU, Russia)

That IP has been used for badness a few times recently and I definitely recommend that you block traffic to it. The payload is most likely to be the Dridex banking trojan.

MD5s:
2934c524678e7e1447653e72a1e8ca3b
d9bf9f695433705dc4fc5986d170ba1f

No comments: