Debunking hoaxes and exposing scams since 2003!

Hoax-Slayer Logo

Fake Adobe Invoice Email Contains Malicious Macro


Email purporting to be from the Adobe Billing Department claims that you can view an invoice for Adobe services by opening an attached Microsoft Word document.

Facebook phising
© baavli

Brief Analysis

The email is not from Adobe. The attached Word document contains a malicious macro. If enabled, the macro can download and install malware.


Subject: Adobe Services Invoice 6

Thank you for choosing adobe services. 
Please see your attached invoice. 

Adobe Billing Department
Adobe Systems Incorporated
21 Hickory Drive

(Email includes an attached file named 'invoice.doc')

Detailed Analysis

'Adobe Billing' Email Includes 'Invoice for Services' Attachment

Yet another malicious email is hitting inboxes. The email, which purports to be from the 'Adobe Billing Department' claims that you can view an invoice for 'Adobe Services' by opening an attached Microsoft Word document.

Email is Not From Adobe - Attachment Contains Malicious Macro

However, the email is not from Adobe and the attachment does not contain an invoice as claimed.

The attachment is a seemingly innocuous .doc file and many users may therefore consider it safe. However, when you open the file, you will be asked to enable macros. And, the document will claim that content has been hidden for security reasons and urge you to enable editing and content to continue (As shown in screenshot below).

When Enabled, Macro Will Download Malware

But, alas, if you do enable macros as requested, the macro will download and install a trojan. Typically, such trojans can download even more malware, harvest sensitive information from the compromised computer, and connect to remote servers operated by criminals.

Macro Threat Making a Comeback - Safest to Leave Macros Disabled

A macro is a set of commands and instructions that can be grouped into a single command as a means of automatically accomplishing a specific task.

While macros may not be a tool that is often used by everyday computer users, they can greatly increase efficiency in some workflows.

However, criminals can create and distribute malicious macros. In earlier days, macro viruses were common computer security threats. But, later versions of Microsoft Office disabled macros by default, thus significantly reducing the risk.

Unfortunately, many computer users will have forgotten about or have no knowledge of macro threats and this has created fertile ground for scammers to use simple social engineering techniques to trick users into enabling macros.

In the campaign discussed here, the criminals hope that at least a few users will be tricked into opening the attached file and enabling macros in the mistaken belief that they have been charged for a service that they did not order.

An article on Virus Bulletin explains:

In the past five years, macro malware could be considered practically extinct – thanks mostly to the security improvements introduced into Microsoft Office products. However, in recent months, a resurgence of malicious VBA macros has been observed – this time, not self-replicating viruses, but simple downloader trojan codes.

Unless you have a specific need for macros, it is best to leave them disabled. And be very cautious of any document or message that claims that you must enable macros to view content or for security reasons.

Last updated: August 26, 2014
First published: August 26, 2014
By Brett M. Christensen
About Hoax-Slayer

Invoice - Adobe Suite - malicious .doc macro
Macro Virus Threat Returns - Beware Emails With Malicious Word Attachments
VBA is not dead!