“Billing Status Overdue” Emails Contain Macro Malware

Emails claiming that your billing status is overdue urge you to open an attached “e-invoice” to review the outstanding balance.

Brief Analysis:
The emails are not from any legitimate company and the attachments do not contain invoices. Instead, the attached Microsoft Word documents contain malicious macros that, if enabled, can download and install malware.

Subject: Hoax-Slayer – Billing (16-10378) status is overdue

Dear Brett Christensen,

Attached is an e-invoice (6267463) that is due after 5 days that has an outstanding balance of A$ 1,136. We kindly ask you to inform us if there are any problems with the invoices in question and let us know when the remittance will be made.

Kindly skip this letter if the deposit has already been processed. We know you have a lot of options and thank you for your business.

Thank you.

[Contact details removed]

Detailed Analysis:
A series of  emails that claim that you owe money to the sending company are currently hitting inboxes. The emails have a subject line that claims that you billing status is overdue and includes your name or business name along with a reference number for the supposed bill.

The body of the emails lists the amount of the outstanding bill and informs you that an “e-invoice” for the bill is contained in an attached file.

The emails include a signature section that list the name and contact details of the staff member and company that supposedly sent the invoice.

However the emails are not from the companies named in the signature and the attachments do not contain invoices.  Instead, the attached Microsoft Word documents contain malicious macros designed to install malware.

The criminals behind this attack bank on the fact that at least a few recipients will open the attachment in the mistaken belief that they have been incorrectly billed.  And, because the attachment is a seemingly innocuous Microsoft Word document, many may open it without due caution.

If you do open the attachment, you will be prompted to enable macros, ostensibly because the document is “protected”.  If you enable macros as requested, a malicious macro will then download and install malware. The exact purpose of this malware may vary. The malware may be ransomware that can lock your computer’s files and then demand a fee to receive an unlock key. Or it may be malware that can steal sensitive information such as banking passwords from your computer.

Be very cautious of any email that claims that you need to enable macros to view an ordinary document such as an invoice. There is no reason why you should need macros to view such documents. Unless you have a specific need to use them, it is best to leave macros disabled by default.

If you are unfamiliar with macros and the security threats they pose, you can read more about them in this earlier Hoax-Slayer article.

Note that details such as the name and contact information of the sending company and the amount of the supposed bill may vary in different versions of these emails.  To make their claims seem more believable, the criminals have used the names and details of real companies in their malware messages.

Billin status overdue malware email

Last updated: September 21, 2016
First published: September 21, 2016
By Brett M. Christensen
About Hoax-Slayer

Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Loads Of Macro Malware ‘Invoice’ Emails Hitting Inboxes