Industry News

Watch out for malware disguised as unpaid invoices!

Once again email users are being warned to be wary of unsolicited attachments arriving in their inboxes after online criminals spammed out a malware campaign designed to infect recipient’s computers.

The emails pose as unpaid invoices, using a wide range of senders’ names and reference numbers.

Here is an example:


Dear Customer

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business – we appreciate it very much.

<NAME>Courier Service

Attached to the emails is a zip file, Invoice_copy_[number].zip.

I have received scores of the emails at one of my personal accounts, all using different names for the sender and the bogus courier service. Of course, what’s happening here is that online criminals are trying to use social engineering to trick you into opening the attached file – in this case, pretending the file is an unpaid invoice and demanding that you pay as soon as possible.

The ZIP in itself cannot harm your computer, but its contents are dangerous.

Contained inside the zip is a file called invoice_SCAN.qhfgd.js, which contains malicious obfuscated JavaScript code designed to access third-party websites and steal information from your Windows computer.


In all likelihood, the aim of the code is to download further malware from the internet, and attempt to exploit vulnerabilities to hijack control of your computer.

But there’s nothing to fear if you have your wits about you, and are protected by up-to-date security software.

If the unexpected invoice wasn’t enough to put you on guard, or the reference to a courier service that you have never heard of, then hopefully your security savviness will have been enough to prevent you from unpacking the ZIP file and clicking on the malicious JavaScript file.

But even if you or your users weren’t able to stop the attempted attack at that stage, the good news is that Bitdefender’s anti-virus can intercept the malicious code – detecting it as JS:Trojan.Script.CRD – and prevent it from running.


A quick check on VirusTotal suggests that other anti-virus vendors are steadily adding identification of the malware to their products. As ever, whether you are using Bitdefender to protect your systems or not, keep your anti-virus defences updated.

You should always be on your guard about unsolicited emails, especially when they contain unexpected attachments or links. It’s far from a new technique to infect computers, but because it works so well – it’s not at all uncommon to see cybercriminals trying to trick unsuspecting users into the trap time and time again.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • Hi Graham…I am received these messages daily. First I started blocking the sender but theyhave an unlimited supply of email addresses. Is there any way to stop the messages from coming in to the inbox.