Home Malware Loads of Macro Malware ‘Invoice’ Emails Hitting Inboxes

Loads of Macro Malware ‘Invoice’ Emails Hitting Inboxes

by Brett M. Christensen

Inboxes are currently being hit by malicious ‘invoice’ or ‘receipt’ emails with attached Microsoft Word documents.

Brief Analysis:
The emails are designed to trick people into enabling macros so that a malicious macro can run and subsequently download and install malware. Be wary of any Microsoft Word or other Microsoft Office email attachment that claims that you must enable macros to view an invoice or receipt.  If your are unfamiliar with macros and the potential dangers they pose, scroll down to the Detailed Analysis for more information.


Subject: Receipt – Order No 173535

[No content]

Attached: Receipt – Order No 173535.docm


Subject: Scanned InvoiceDear [name removed] ,

Scanned Invoice in Microsoft Word format has been attached to this email.

Thank you!

[Name removed]
Sales Manager

Attached: SCAN_Invoice_[name removed].doc

Detailed Analysis:
A new wave of macro malware emails is currently hitting inboxes.  These emails are very short and to the point. Many of them have no content at all in the body of the email but feature a subject line that implies that you can view a receipt or invoice by opening an attached file. Other versions include a brief message that echoes the suggestion in the subject line that the attachment contains a receipt or invoice. The attachments are usually Microsoft Word documents, although some may be in other Microsoft Office formats such as Excel.

The criminals running these malware campaigns know that at least a few recipients will want to open the attachments out of simple concern and curiosity. Recipients may be worried that they have been billed for items or services that they never bought.  The emails do not name the company that they were supposedly sent by, nor do they contain any information at all about the supposed purchase. This lack of detail is a deliberate ploy designed to get people clicking on attachments in the hope of revealing the missing information.  And, because the attachments are seemingly innocuous Microsoft Office documents, at least a few recipients may let their guard down and open them without due caution.

If people do attempt to open the attachments, they will be prompted to enable macros supposedly so that the contents can be properly displayed. But, if they do enable macros as requested, a malicious macro will then be able to run. This macro can connect to a compromised website and download and install malware of various types.

For those that may not be aware, a macro is a set of commands and instructions that can be grouped as a single command in order to quickly and automatically accomplish a task.

Macros can be very helpful in some workflows and quite complex macros can be created. But, such complex macros can be created to perform evil deeds as well as good. In years gone by, macro viruses were common computer security threats. But, for the last several years, they have been much less significant due to the fact that later versions of Microsoft Office disabled macros by default.

Alas, many users may have either forgotten about or have no knowledge of macro risks and may therefore be inclined to enable macros if requested to do so.

While macros can certainly be useful in some workflows, it is best to leave them disabled if you do not use them and and are unfamiliar with their potential security risks. And, do not believe any message that claims that you must enable macros in order to view a simple document such as a billing invoice or receipt.

Last updated: March 7, 2016
First published:  March 7, 2016
By Brett M. Christensen
About Hoax-Slayer

‘BP Fuel Card E-Bill’ Excel Macro Malware Email
Malware Threat Articles

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,