Home Malware ‘Your Latest Documents from Angel Springs’ Macro Malware Email

‘Your Latest Documents from Angel Springs’ Macro Malware Email

by Brett M. Christensen

Email with the subject line ‘Your Latest Documents from Angel Springs’ claims that you should open an attached Microsoft Word file to review billing documents.

Brief Analysis:
The email is not from UK based water cooler provider Angel Springs and the attached file does not contain billing documents. The attached Word document contains a malicious macro that can download and install malware.

Subject: Your Latest Documents from Angel Springs Ltd [STA054C]

Dear Customer,Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we’ve invested in upgrading our billing systems to make things a little easier for you.

Here’s a few ways we’ve made it easier for you:

Your new documents are now attached to your email. You don’t have to follow a link now to get to your documents.
Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.
You can simply and easily raise any queries you may have through the customer portal.

You can also connect to our E-Billing solution to access other relevant documents by clicking on the following link; Single Click Login

Detailed below are your latest documents.

Account Number


Invoice Number

Document Type




Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.

If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on [number removed] and we will be more than happy to assist you. Please do not reply to this email.

To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document

With Kind Regards,

Angel Springs Ltd

Angle Springs Malware Email

Detailed Analysis:
According to this email, which has the subject line ‘Your Latest Documents from Angel Springs Ltd’, you can review your latest Angel Springs billing documents by opening an attached file. The email claims that Angel Springs has upgraded its billing systems so that new billing documents can be viewed by opening an attachment rather than by clicking a link. The email includes the Angel Springs logo and a table with details about the supposed document and an attached file in Microsoft Word (.docm) format.

Angel Springs is a real company that supplies water coolers in the UK.  However, Angel Springs did not send this email and the attachment does not contain billing documents.

Instead, the attached document contains a malicious macro that can fetch and install other types of malware.

If you open the attached Word file, you will be prompted to enable macros, ostensibly so that the contents of the file can be correctly displayed. However, if you do enable macros, a malicious macro will then run. Without you realising, the macro will connect to a website and download and install malware on your computer. The exact nature of this malware may vary. The malware may be Locky ransomware or it may be a trojan that can steal sensitive information such as banking login details.

Details such as the supposed reference number in the subject line and dates, account numbers, and invoice numbers in the message body may vary in different versions of the email.

The email uses address spoofing to make it appear that it really was sent by Angel Springs. Keep in mind that Angel Springs is an innocent victim of the criminals who created this malware campaign and has done nothing wrong.

You can read more details about macro malware threats here.

Malware on Binary Code Graphic

Last updated: April 8, 2016
First published: April 8, 2016
By Brett M. Christensen
About Hoax-Slayer

Malware spam: “Your Latest Documents from Angel Springs Ltd [1F101177]”
Malware Threat Articles
Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments


Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,