Home Malware “Billing Status Overdue” Emails Contain Macro Malware

“Billing Status Overdue” Emails Contain Macro Malware

by Brett M. Christensen

Emails claiming that your billing status is overdue urge you to open an attached “e-invoice” to review the outstanding balance.

Brief Analysis:
The emails are not from any legitimate company and the attachments do not contain invoices. Instead, the attached Microsoft Word documents contain malicious macros that, if enabled, can download and install malware.

Subject: Hoax-Slayer – Billing (16-10378) status is overdueDear Brett Christensen,

Attached is an e-invoice (6267463) that is due after 5 days that has an outstanding balance of A$ 1,136. We kindly ask you to inform us if there are any problems with the invoices in question and let us know when the remittance will be made.

Kindly skip this letter if the deposit has already been processed. We know you have a lot of options and thank you for your business.

Thank you.

[Contact details removed]

Detailed Analysis:
A series of  emails that claim that you owe money to the sending company are currently hitting inboxes. The emails have a subject line that claims that you billing status is overdue and includes your name or business name along with a reference number for the supposed bill.

The body of the emails lists the amount of the outstanding bill and informs you that an “e-invoice” for the bill is contained in an attached file.

The emails include a signature section that list the name and contact details of the staff member and company that supposedly sent the invoice.

However the emails are not from the companies named in the signature and the attachments do not contain invoices.  Instead, the attached Microsoft Word documents contain malicious macros designed to install malware.

The criminals behind this attack bank on the fact that at least a few recipients will open the attachment in the mistaken belief that they have been incorrectly billed.  And, because the attachment is a seemingly innocuous Microsoft Word document, many may open it without due caution.

If you do open the attachment, you will be prompted to enable macros, ostensibly because the document is “protected”.  If you enable macros as requested, a malicious macro will then download and install malware. The exact purpose of this malware may vary. The malware may be ransomware that can lock your computer’s files and then demand a fee to receive an unlock key. Or it may be malware that can steal sensitive information such as banking passwords from your computer.

Be very cautious of any email that claims that you need to enable macros to view an ordinary document such as an invoice. There is no reason why you should need macros to view such documents. Unless you have a specific need to use them, it is best to leave macros disabled by default.

If you are unfamiliar with macros and the security threats they pose, you can read more about them in this earlier Hoax-Slayer article.

Note that details such as the name and contact information of the sending company and the amount of the supposed bill may vary in different versions of these emails.  To make their claims seem more believable, the criminals have used the names and details of real companies in their malware messages.

Billin status overdue malware email

Last updated: September 21, 2016
First published: September 21, 2016
By Brett M. Christensen
About Hoax-Slayer

Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Loads Of Macro Malware ‘Invoice’ Emails Hitting Inboxes


Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,