IMAGINiT ‘Urgent Invoice’ Malware Email

‘Urgent’ email purporting to be from Autodesk software provider IMAGINiT claims that an invoice is past due and you should therefore open an attached .rtf file to review the invoice.

Brief Analysis:
The email is not from IMAGINiT and the attachment does not contain an invoice. The attached document contains a malicious macro that, if run, can download and install malware on your computer.

Subject: Urgent: IMAGINiT invoice BDINV54736 is Past due

Dear Valued Customer-Please be aware that our invoice BDINV54736 (attached) is currently past due and payment is required at this time. Our remittance address is indicated on the attached invoice. Please note that credit card payments will not be accepted for invoices processed with credit terms. If you have any questions regarding your invoice, please contact us on 581-685-1209 using reference account number 8A81D-712.Payments and/or credits of $0.00 have been applied to this invoice, the balance currently due is $108.46.

Thank you for your business and we appreciate your prompt response in this matter.


IMAGINiT, a Division of Rand Worldwide

Imaginit Malware Email

Detailed Analysis:
This supposedly urgent email purports to be from Autodesk software provider IMAGINiT and includes the IMAGINiT logo. The email claims that a payment is now past due and requests that you opened an attached document to review the overdue invoice. The attached document is in Rich Text Format (.rtf), a type of file that will open in Microsoft Office software such as Microsoft Word.

However, the email is not from IMAGINiT and the attachment does not contain an invoice. If you click the .rtf file, you will receive a message that prompts you to enable macros, ostensibly so that the contents of the document can be correctly displayed.  If you do enable macros as requested, a malicious macro will run. The macro will connect to a website and download a version of the DRIDEX banking trojan. After it is installed, the trojan can use various methods to steal online banking login credentials and send the stolen information to criminals.

The criminals rely on the fact that many users may not know what macros are or be aware of the potential dangers they pose. A macro is a set of commands and instructions that can be collected as a single command in order to quickly and automatically accomplish a task. Macros can be very helpful in some workflows. But malicious macros can also be created and distributed.

Later versions of Microsoft Office disable macros by default to reduce the threat of macro viruses.  However, a number of recent malware attacks try to trick recipients into enabling macros and thereby allowing their computers to be infected.

Unless you have a specific need to use macros, it is best to leave them disabled. And, do not believe any message that claims that you must enable macros to view ordinary types of documents such as billing invoices.

Last updated: March 18, 2016
First published: March 18, 2016
By Brett M. Christensen
About Hoax-Slayer

Urgent: IMAGINiT invoice … is Past due – Malware
Loads Of Macro Malware ‘Invoice’ Emails Hitting Inboxes
Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Malware Threat Articles