MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Fax from +4921154767199 Pages: 1”.
This email is send from the spoofed address “faxtastic! <firstname.lastname@example.org>” and has the following body:
You have received a new fax. To view it, please open the attachment.
Did you know we now send? Visit http://www.faxtastic.co.uk for more details.
faxtastic Support Team
The attached 62 kB large file 2015031714240625332.xls is in fact an Excel sheet with embedded macro that will download the real trojan from different hosts.
The malicious Excel is known as LooksLike.Macro.Malware.a (v) at Virus Total.
More information at Hybrid Analysis as well.
MX Lab recommends not to open the atteched Excel file or at least make sure that macro’s are disabled.