Beware malicious invoices spammed out via email

It’s been over 20 years since the first Word macro virus reared its ugly head and pulled the carpet from underneath the feet of computer users worldwide.

Up until then, it was pretty easy to know what to look out for – executable files (normally .EXE or .COM) and floppy disk boot sectors.

But macro viruses changed all that, infecting the templates inside Microsoft Office files – Word documents, Excel spreadsheets and Powerpoint presentations – where Microsoft had, rather unhelpfully from the security point of view, incorporated a macro language that could execute instructions.

And, of course, computer users were much more used to having Word documents and even (in some cases) spreadsheets sent to them via email than they were .EXE files, and so the opportunities for malware to spread successfully grew significantly.

Well, one thing I have learnt from my years in the computer security industry is that if the criminals find a technique that works, they put it to good use. And so, many years after macro viruses first caused problems, they continue to blight users’ systems today.

I was reminded of that fact at the end of last week and over the weekend when I found multiple samples in my inbox of a few malware campaigns that had been spammed out in the form of malicious Word documents.

Here are some typical examples of what they looked like.


Dear Valued Customer,

We are very grateful for your purchase. The specified sum of $453,71 was paid and now your order is being processed by our company.

Delivery information and the invoice can be found in the attached file.

Thank you!

Eddie Mathews
Sales Manager

In this case the email is using some fairly simply social engineering in an attempt to trick the recipient into opening a dangerous file. The criminals hope that people will be curious to know what company has charged the hundreds of dollars for an unknown product that they never ordered – and open the attachment without properly thinking of the consequences.

Bitdefender security products detect the malicious attachment as W97M.Downloader.AXE.

The criminals use a similar disguise in another malware campaign:


Dear brigitte ,

Scanned invoice in Microsoft Word format has been attached to this email.

Thank you!

Monique Wall
Sales Manager

Bitdefender security products detect this attack too, as W97M.Downloader.AXV.

In both examples, the emails disguise themselves as emailed invoices.

Sure, maybe you are savvy enough not to fall for such schemes – but chances are that you know people (perhaps elderly relatives or less clued-up friends) who might almost instantly rush to click on the attachment without thinking of the consequences.

In both cases, the poisoned Word document file attempts to download further malicious code from the internet, designed to infect your computer.

Ensuring that you do not enable macros when opening a Word document is one defence against attacks like this, but the best protection is to not open unsolicited Word documents in the first place – as you don’t know if they might have malicious code embedded inside them or if they will attempt to exploit a vulnerability in order to infect your PC.

In the past 20+ years we have seen many more sophisticated malware attacks, but the simple truth is that in many cases malware hasn’t had to evolve that much. Old tricks like this still work very effectively and because the typical computer user is still slow to learn how to defend themselves, the online criminals continue to infect PCs, steal information and hijack systems.

Like I said, these malware campaigns arrived in my inbox a couple of days ago. Although Bitdefender intercepts the infection before your computer is compromised, a quick scan of the file on VirusTotal suggests that some up-to-date products from other vendors are still failing to identify the malware.

Leave a Reply