Home Malware Fake ‘Witness Subpoena’ Email Contains Macro Malware

Fake ‘Witness Subpoena’ Email Contains Macro Malware

by Brett M. Christensen

‘Witness Subpoena’ email purporting to be from an attorney claims that your case has been appointed for a court hearing and you should open an attached ‘Subpoena to Appear in Court’ Microsoft Word document to read more information.

Brief Analysis:
The email is not from any legitimate attorney, and the attached document does not contain a genuine subpoena. The attached Word document contains a malicious macro that, if enabled, can download and install malware on your computer.

Subject: [Name removed]- Witness Subpoena 010/0023250

Dear Representative of [Name Removed] Your case has been appointed for hearing on 5th April, 2016 at 12:30 PM. Your case is before Justice Norman Gildin .

This is a hearing about Breach No. I-64791381.

Please be present for this. If you require any further information, feel free to call.

Please see the enclosed Subpoena to Appear in Court for complete information.


[Name removed], Attorney

Tel.: [removed]

Detailed Analysis:
According to this ‘Witness Subpoena’ email, your case has been appointed for a hearing on a specified date in front of a specified judge. The email, which claims to be from an attorney, urges you to open an attached Subpoena to Appear in Court document to read complete information about the supposed hearing.

The attached file is a seemingly innocuous Microsoft Word (.doc) file.

However, things are not as they may appear. The email is not a genuine court notice message, it is not from a real attorney, and the attached document does not contain a subpoena to appear in court as claimed. In fact, the message is an attempt to trick you into allowing malware to be installed on your computer.

At first glance, the email’s attachment seems to be a harmless Microsoft Word document and you might therefore open it without due forethought. However, if you do attempt to open the document, you will be prompted to enable macros, ostensibly to allow the document’s content to be correctly displayed. If you enable macros as requested, a malicious macro will connect to a server and download and install malware.

The exact nature of the downloaded malware may vary. Malicious macros have recently been used to install ransomware such as Locky as well as trojans that can steal your online banking login credentials and other personal information.

Bogus court notice emails have been used repeatedly to deliver malware in recent years. Some, like this one, include malicious attachments. Others have a link to a compromised website that harbours the malware.  Be wary of any unsolicited email that purports to be from a court or law firm that claims that you must click a link or open an attached file to read more information about an impending court case.

If you are unfamiliar with macros and the potential dangers they pose, you can read more about them here.

Court Malware

Last updated: May 3, 2016
First published: May 3, 2016
By Brett M. Christensen
About Hoax-Slayer

Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
‘Notice to Appear in Court’ Malware Emails


Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,