Home Malware IMAGINiT ‘Urgent Invoice’ Malware Email

IMAGINiT ‘Urgent Invoice’ Malware Email

by Brett M. Christensen

Outline:
‘Urgent’ email purporting to be from Autodesk software provider IMAGINiT claims that an invoice is past due and you should therefore open an attached .rtf file to review the invoice.




Brief Analysis:
The email is not from IMAGINiT and the attachment does not contain an invoice. The attached document contains a malicious macro that, if run, can download and install malware on your computer.

Example:
Subject: Urgent: IMAGINiT invoice BDINV54736 is Past due

Dear Valued Customer-Please be aware that our invoice BDINV54736 (attached) is currently past due and payment is required at this time. Our remittance address is indicated on the attached invoice. Please note that credit card payments will not be accepted for invoices processed with credit terms. If you have any questions regarding your invoice, please contact us on 581-685-1209 using reference account number 8A81D-712.Payments and/or credits of $0.00 have been applied to this invoice, the balance currently due is $108.46.

Thank you for your business and we appreciate your prompt response in this matter.

Sincerely,

IMAGINiT, a Division of Rand Worldwide

Imaginit Malware Email




Detailed Analysis:
This supposedly urgent email purports to be from Autodesk software provider IMAGINiT and includes the IMAGINiT logo. The email claims that a payment is now past due and requests that you opened an attached document to review the overdue invoice. The attached document is in Rich Text Format (.rtf), a type of file that will open in Microsoft Office software such as Microsoft Word.

However, the email is not from IMAGINiT and the attachment does not contain an invoice. If you click the .rtf file, you will receive a message that prompts you to enable macros, ostensibly so that the contents of the document can be correctly displayed.  If you do enable macros as requested, a malicious macro will run. The macro will connect to a website and download a version of the DRIDEX banking trojan. After it is installed, the trojan can use various methods to steal online banking login credentials and send the stolen information to criminals.

The criminals rely on the fact that many users may not know what macros are or be aware of the potential dangers they pose. A macro is a set of commands and instructions that can be collected as a single command in order to quickly and automatically accomplish a task. Macros can be very helpful in some workflows. But malicious macros can also be created and distributed.

Later versions of Microsoft Office disable macros by default to reduce the threat of macro viruses.  However, a number of recent malware attacks try to trick recipients into enabling macros and thereby allowing their computers to be infected.

Unless you have a specific need to use macros, it is best to leave them disabled. And, do not believe any message that claims that you must enable macros to view ordinary types of documents such as billing invoices.




Last updated: March 18, 2016
First published: March 18, 2016
By Brett M. Christensen
About Hoax-Slayer

References
Urgent: IMAGINiT invoice … is Past due – Malware
Loads Of Macro Malware ‘Invoice’ Emails Hitting Inboxes
Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Malware Threat Articles

 

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,
Hoax-Slayer