Email “Service Suspension Notification” contains malicious Excel sheet


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Service Suspension Notification [ID:D43B02913]”.

This email is send from the spoofed address “Davldfzme@business.telecomitalia.it” and has the following body:

Dear Mr/Mrs,

This is a notification that your service has now been suspended. The details of this suspension are below:

Product/Service: PREMIUM 1
Domain: srv006026
Amount: $160.00 GBP
Due Date: 15/02/2015
Suspension Reason: Unpaid

Please contact us as soon as possible to get your service reactivated.

The attached file D43B02913.xls is an malicious Excel sheet that will use the macro function to download a  trojan.

The malicious Excel sheet is being detected by 1 of the 56 AV engine at Virus Total and is named X97M/Downloader.g.

MX Lab recommends not to open the Excel sheet or at least keep the macro function disabled.

Use the Virus Total for more detailed information.
SHA256: 56ed63508058a121d9993b5381a2d1fe68ba0e1c4fe3d9a9b279ce593b8798d1