I'm curious - if the link in the email leads to paypal.com with what looks like an invoice, why doesn't the invoice appear on the target's email account?
Is it just that the invoice is a real invoice but isn't debited against the target's paypal account?
I think it being a real invoice would be the easiest answer. The scammers have obtained a legit business account at PayPal and are issuing baseless invoices. I don't know if they'd receive the money if you paid - maybe. But they want you to call them and install the backdoor.
In the version I looked at, the scammer sent it to their own email account and did a replay attack against the victim - which doesn't invalidate the cryptographic anti-spam signature.
Is it just that the invoice is a real invoice but isn't debited against the target's paypal account?
Or is the invoice fake somehow?