The invoice arrives as an attachment in a ZIP archive containing a file called Rechnung.scr, which Avira detects as TR/Rogue.957311 and TR/Kazy.169263.1.
While the researchers don't identify the Trojan's functionality, they note that the spam campaign is unique in that it addresses recipients using their full name, and the attached ZIP archive is also named using the recipient's full name.
It also refers to itself as "Dritte Mahnung," or "third reminder."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Usually, after the third demand the companies send the unpaid invoices to a lawyer," notes Avira's Sorin Mustaca. "This is public knowledge in the German speaking countries."