Fake ‘Witness Subpoena’ Email Contains Macro Malware

‘Witness Subpoena’ email purporting to be from an attorney claims that your case has been appointed for a court hearing and you should open an attached ‘Subpoena to Appear in Court’ Microsoft Word document to read more information.

Brief Analysis:
The email is not from any legitimate attorney, and the attached document does not contain a genuine subpoena. The attached Word document contains a malicious macro that, if enabled, can download and install malware on your computer.

Subject: [Name removed]- Witness Subpoena 010/0023250

Dear Representative of [Name Removed] Your case has been appointed for hearing on 5th April, 2016 at 12:30 PM. Your case is before Justice Norman Gildin .

This is a hearing about Breach No. I-64791381.

Please be present for this. If you require any further information, feel free to call.

Please see the enclosed Subpoena to Appear in Court for complete information.


[Name removed], Attorney

Tel.: [removed]

Detailed Analysis:
According to this ‘Witness Subpoena’ email, your case has been appointed for a hearing on a specified date in front of a specified judge. The email, which claims to be from an attorney, urges you to open an attached Subpoena to Appear in Court document to read complete information about the supposed hearing.

The attached file is a seemingly innocuous Microsoft Word (.doc) file.

However, things are not as they may appear. The email is not a genuine court notice message, it is not from a real attorney, and the attached document does not contain a subpoena to appear in court as claimed. In fact, the message is an attempt to trick you into allowing malware to be installed on your computer.

At first glance, the email’s attachment seems to be a harmless Microsoft Word document and you might therefore open it without due forethought. However, if you do attempt to open the document, you will be prompted to enable macros, ostensibly to allow the document’s content to be correctly displayed. If you enable macros as requested, a malicious macro will connect to a server and download and install malware.

The exact nature of the downloaded malware may vary. Malicious macros have recently been used to install ransomware such as Locky as well as trojans that can steal your online banking login credentials and other personal information.

Bogus court notice emails have been used repeatedly to deliver malware in recent years. Some, like this one, include malicious attachments. Others have a link to a compromised website that harbours the malware.  Be wary of any unsolicited email that purports to be from a court or law firm that claims that you must click a link or open an attached file to read more information about an impending court case.

If you are unfamiliar with macros and the potential dangers they pose, you can read more about them here.

Court Malware

Last updated: May 3, 2016
First published: May 3, 2016
By Brett M. Christensen
About Hoax-Slayer

Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
‘Notice to Appear in Court’ Malware Emails