Wednesday, 5 August 2015

IMPORTANT - Document From Ofcom Spectrum Licensing

IMPORTANT - Document From Ofcom Spectrum Licensing OFCOM_REN04_20150715_0976659.docm  macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

From: {}
Subject: IMPORTANT - Document From Ofcom Spectrum Licensing
Message Body:
Dear Sir/Madam,

Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.

Please read the document carefully and keep it for future reference.

If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee's responsibility to ensure all information we hold is correct and current.

If you have any enquiries relating to this document, please email

Yours faithfully,

Ofcom Spectrum Licensing
Riverside House
2a Southwark Bridge Road
London SE1 9HA

Phone: 020 7981 3131
Fax: 020 7981 3235
Textphone: 020 7981 3043

Sha256 Hashes:
1621100f6132a3e077f830df789eff30c55f2ba4f10a3a82844415cd2d4e5f58 [1]
71c76d5248f0a8cfb4c9c3b82e358eff0f6aba9619023e55f530825d71417336 [2]
f9d283ab46e11d59af2a64bda538045bf5ccc62de4772b1b73f68109ab2e93cd [3]
3f23b47564cfada12ca18f18f51215bf0e6747419249db1c3d71887e55a16b8a [4]
d5d3cd83d04116219a4a1b382a85b1142c02741600ce5b1297be9a334f8aeaae [5]

Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 6/56)
VirusTotal Report: [2] (detection 6/56)
VirusTotal Report: [3] (detection 6/56)
VirusTotal Report: [4] (detection 6/56)
VirusTotal Report: [5] (detection 6/56)


The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



Karenhoffen said...

Thanks for this. I received this email this morning and it looked genuine but I didn't think it made sense to receive this email from Ofcom so googled it and found your blog.

Will now delete the email.

Anonymous said...

Thank you for your brill site. Just received this email and tried to find out more info but none available until I found your site. Keep up the good work.

Anonymous said...

Unfortunately a bunch of these managed to get through our filter, although they were easy to cleanup after the event. Ironic that ofcom (communications Regulator) do NOT have a DNS SPF (Sender Policy Framework) TXT record configured. If this record existed then our filter would have easily blocked the lot and saved ofcom from fielding irate phone calls and e-mails from some recipients!

Unknown said...

Same here, I thought it was odd as it wasn't personalised. Virus checker didn't pick it up, but Word, stopped any hidden code from running!

Unknown said...

Also received one this morning - looked suspicious so Googled and found your link. Thanks for the info!

jimwah said...

As above - received one of these this morning, will set up a rule to ensure these don't reach our users - Thanks!

Anonymous said...

Hi, I received this email as well. I genuinely applied for a license so I thought I finally got the confirmation. I opened the attachment but it was a blank page. When I so that, I decided to look for that email header and found you. Luckily I have a mac so according to you, no harm done. Thank you very much for this post!

Anonymous said...

McAfee LiveSafe-IS didn't stop the email getting directly into my Firefox in box... But I guess it was a phish or scam from file extension & didn't opn. But tried to email an Ofcom contact and my emails didn't get through (550 5.7.1 Rejecting mail, is blacklisted), so resorted to Twitter DMs to warn them.

So whose email list got hacked: RSGB or Ofcom?

Why this affect on simle direct emails to Ofcom?