Loads of Macro Malware ‘Invoice’ Emails Hitting Inboxes

Inboxes are currently being hit by malicious ‘invoice’ or ‘receipt’ emails with attached Microsoft Word documents.

Brief Analysis:
The emails are designed to trick people into enabling macros so that a malicious macro can run and subsequently download and install malware. Be wary of any Microsoft Word or other Microsoft Office email attachment that claims that you must enable macros to view an invoice or receipt.  If your are unfamiliar with macros and the potential dangers they pose, scroll down to the Detailed Analysis for more information.


Subject: Receipt – Order No 173535

[No content]

Attached: Receipt – Order No 173535.docm


Subject: Scanned InvoiceDear [name removed] ,

Scanned Invoice in Microsoft Word format has been attached to this email.

Thank you!

[Name removed]
Sales Manager

Attached: SCAN_Invoice_[name removed].doc


Detailed Analysis:
A new wave of macro malware emails is currently hitting inboxes.  These emails are very short and to the point. Many of them have no content at all in the body of the email but feature a subject line that implies that you can view a receipt or invoice by opening an attached file. Other versions include a brief message that echoes the suggestion in the subject line that the attachment contains a receipt or invoice. The attachments are usually Microsoft Word documents, although some may be in other Microsoft Office formats such as Excel.

The criminals running these malware campaigns know that at least a few recipients will want to open the attachments out of simple concern and curiosity. Recipients may be worried that they have been billed for items or services that they never bought.  The emails do not name the company that they were supposedly sent by, nor do they contain any information at all about the supposed purchase. This lack of detail is a deliberate ploy designed to get people clicking on attachments in the hope of revealing the missing information.  And, because the attachments are seemingly innocuous Microsoft Office documents, at least a few recipients may let their guard down and open them without due caution.

If people do attempt to open the attachments, they will be prompted to enable macros supposedly so that the contents can be properly displayed. But, if they do enable macros as requested, a malicious macro will then be able to run. This macro can connect to a compromised website and download and install malware of various types.

For those that may not be aware, a macro is a set of commands and instructions that can be grouped as a single command in order to quickly and automatically accomplish a task.

Macros can be very helpful in some workflows and quite complex macros can be created. But, such complex macros can be created to perform evil deeds as well as good. In years gone by, macro viruses were common computer security threats. But, for the last several years, they have been much less significant due to the fact that later versions of Microsoft Office disabled macros by default.

Alas, many users may have either forgotten about or have no knowledge of macro risks and may therefore be inclined to enable macros if requested to do so.

While macros can certainly be useful in some workflows, it is best to leave them disabled if you do not use them and and are unfamiliar with their potential security risks. And, do not believe any message that claims that you must enable macros in order to view a simple document such as a billing invoice or receipt.

Last updated: March 7, 2016
First published:  March 7, 2016
By Brett M. Christensen
About Hoax-Slayer

‘BP Fuel Card E-Bill’ Excel Macro Malware Email
Malware Threat Articles