Fake Adobe Invoice Email Contains Malicious Macro
OutlineEmail purporting to be from the Adobe Billing Department claims that you can view an invoice for Adobe services by opening an attached Microsoft Word document.
© Depositphotos.com/ baavli
Brief AnalysisThe email is not from Adobe. The attached Word document contains a malicious macro. If enabled, the macro can download and install malware.
Subject: Adobe Services Invoice 6
Thank you for choosing adobe services.
Please see your attached invoice.
Adobe Billing Department
Adobe Systems Incorporated
21 Hickory Drive
'Adobe Billing' Email Includes 'Invoice for Services' Attachment
Email is Not From Adobe - Attachment Contains Malicious Macro
The attachment is a seemingly innocuous .doc file and many users may therefore consider it safe. However, when you open the file, you will be asked to enable macros. And, the document will claim that content has been hidden for security reasons and urge you to enable editing and content to continue (As shown in screenshot below).
When Enabled, Macro Will Download Malware
Macro Threat Making a Comeback - Safest to Leave Macros Disabled
While macros may not be a tool that is often used by everyday computer users, they can greatly increase efficiency in some workflows.
However, criminals can create and distribute malicious macros. In earlier days, macro viruses were common computer security threats. But, later versions of Microsoft Office disabled macros by default, thus significantly reducing the risk.
Unfortunately, many computer users will have forgotten about or have no knowledge of macro threats and this has created fertile ground for scammers to use simple social engineering techniques to trick users into enabling macros.
In the campaign discussed here, the criminals hope that at least a few users will be tricked into opening the attached file and enabling macros in the mistaken belief that they have been charged for a service that they did not order.
An article on Virus Bulletin explains:
In the past five years, macro malware could be considered practically extinct – thanks mostly to the security improvements introduced into Microsoft Office products. However, in recent months, a resurgence of malicious VBA macros has been observed – this time, not self-replicating viruses, but simple downloader trojan codes.
Unless you have a specific need for macros, it is best to leave them disabled. And be very cautious of any document or message that claims that you must enable macros to view content or for security reasons.
Last updated: August 26, 2014
First published: August 26, 2014
By Brett M. Christensen