Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

Home    About    New Articles    RSS Feed    eBook    Contact
Bookmark and Share

Document Approval Notification Malware Email

Email claims that an attached record of invoice document about a charge of several thousand dollars needs to be reviewed and approved by the recipient.


© kentoh

Brief Analysis
The message is not from any legitimate supplier. It is an attempt by online criminals to panic recipients into installing malware on their computers.

Bookmark and Share


Subject: ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.


Supplier: Link Removed]

Invoice No.: 0910162940

Document No.: 5642884532

Invoice amount: USD 9599.84

Rejection reason(s): Approval Required

Please find enclosed a record of invoice that could not be processed. We would like to ask you to assist us in resolving the noted rejection reasons.

Detailed Analysis

According to this email, an attached document needs to be reviewed and approved by the recipient. Supposedly, the document is a record of invoice for several thousand dollars. The message suggests that the payment was rejected for lack of approval and asks that the recipient help resolve the issue by opening the attached file.

However, the email is not from any legitimate supplier or billing service. And the attachment certainly does not contain an invoice. Instead, the attached .zip file contains a malicious .exe file. 

Opening the .exe file will install malware on the victim's computer. Typically, such malware can harvest sensitive information from the compromised computer and make connections with remote servers run by criminals.

The message uses fake record identifier's and document and invoice numbers to make its claims seem a little more believable. It also creates a fake "Supplier" web address by using the domain name in the recipient's email address.  The criminals hope that at least a few recipients, confronted by what they believe is an invoice for a large sum of money, will be panicked into opening the attachment and running the .exe file.

Networking and security firm Cisco reported on an almost identical version of the malware email back in February 2013.  The specified invoice amount and other details may vary in different incarnations of the scam.

If you receive one of these malware emails, do not open any attachments or click any links that it contains.

Bookmark and Share

Last updated: December 9, 2013
First published: December 9, 2013
By Brett M. Christensen
About Hoax-Slayer

Threat Outbreak Alert: Fake Document Approval Notification E-mail Messages on February 7, 2013

Go to Mobile Version