Watch out for malware disguised as unpaid invoices!

Once again email users are being warned to be wary of unsolicited attachments arriving in their inboxes after online criminals spammed out a malware campaign designed to infect recipient’s computers.

The emails pose as unpaid invoices, using a wide range of senders’ names and reference numbers.

Here is an example:

Dear Customer

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business – we appreciate it very much.

<NAME>Courier Service

Attached to the emails is a zip file, Invoice_copy_[number].zip.

I have received scores of the emails at one of my personal accounts, all using different names for the sender and the bogus courier service. Of course, what’s happening here is that online criminals are trying to use social engineering to trick you into opening the attached file – in this case, pretending the file is an unpaid invoice and demanding that you pay as soon as possible.

The ZIP in itself cannot harm your computer, but its contents are dangerous.

Contained inside the zip is a file called invoice_SCAN.qhfgd.js, which contains malicious obfuscated JavaScript code designed to access third-party websites and steal information from your Windows computer.


In all likelihood, the aim of the code is to download further malware from the internet, and attempt to exploit vulnerabilities to hijack control of your computer.

But there’s nothing to fear if you have your wits about you, and are protected by up-to-date security software.

If the unexpected invoice wasn’t enough to put you on guard, or the reference to a courier service that you have never heard of, then hopefully your security savviness will have been enough to prevent you from unpacking the ZIP file and clicking on the malicious JavaScript file.

But even if you or your users weren’t able to stop the attempted attack at that stage, the good news is that Bitdefender’s anti-virus can intercept the malicious code – detecting it as JS:Trojan.Script.CRD – and prevent it from running.


A quick check on VirusTotal suggests that other anti-virus vendors are steadily adding identification of the malware to their products. As ever, whether you are using Bitdefender to protect your systems or not, keep your anti-virus defences updated.

You should always be on your guard about unsolicited emails, especially when they contain unexpected attachments or links. It’s far from a new technique to infect computers, but because it works so well – it’s not at all uncommon to see cybercriminals trying to trick unsuspecting users into the trap time and time again.

Leave a Reply