Date: Fri, 25 Jul 2014 16:48:37 +0900 [03:48:37 EDT]
From: HMRC Revenue&Customs [Rosanne@hmrc.gov.uk]
Reply-To: Legal Aid Agency [re-HN-WFCLL-OECGTZ@hmrc.gov.uk]
Dear [redacted] ,
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 34320-289.
The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
2014 © All rights reserved
Attached is a file P6_rep_34320-289.zip which unZips to a folder called P6_rep(9432)_84632_732.doc which contains a malicious executable P6_rep(9432)_84632_732.doc.scr which has a VirusTotal detection rate of 4/53.
The CAMAS report shows that a second component is downloaded from 37.139.47.167/bt/2.exe which in turn has a VirusTotal detection rate of 5/52.
The IP address of 37.139.47.167 is in the same /24 as the two other IPs mentioned here. I would very strongly recommend blocking traffic to at least 37.139.47.0/24 or the whole 37.139.40.0/21 range (although there do seem to be some legitimate Russian-language sites in there). The IP belongs to:
inetnum: 37.139.40.0 - 37.139.47.255
netname: COMFORTEL-NET
descr: COMFORTEL ltd.
country: RU
admin-c: ME3174-RIPE
tech-c: RASS-RIPE
status: ASSIGNED PA
mnt-by: MNT-PIN
mnt-routes: MNT-PIN
mnt-domains: PIRIX-MNT
source: RIPE # Filtered
person: Mikhail Evdokimov
address: PIRIX
address: Obukhovskoy Oborony, 120-Z
address: 192012, St.Petersburg
address: Russia
phone: +7 812 3343610
fax-no: +7 812 6002014
nic-hdl: ME3174-RIPE
mnt-by: RUNNET-MNT
source: RIPE # Filtered
person: Dmitry Rassohin
address: 194156, St.Petersburg, Russia
address: Bolshoy Sampsonievskiy prospekt 106A, apt. 304
phone: +7 931 2700021
nic-hdl: RASS-RIPE
mnt-by: RASS-MNT
source: RIPE # Filtered
route: 37.139.40.0/21
descr: PIRIXROUTE
origin: AS56534
mnt-by: MNT-PIN
source: RIPE # Filtered
No comments:
Post a Comment