The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cyber Espionage, new campaign against Ukraine from Tajikistan
New cyber espionage campaign against Ukraine from Tajikistan. The CERT-UA: Thanks to HATVIBE, the malware LOGPIE, CHERRYSPY and STILLARCH (alias DownEx) installed on the victim’s computer
CERT-UA has detected a series of emails, allegedly sent from the official mailbox of the Embassy of Tajikistan in Kyiv (probably due to the compromise of the latter), the first of which contained an attachment in the form of a document with a macro, and the second a reference to the same document. If the document were downloaded and the macro activated on the PC, a process would be started to install and run the “SoftwareProtectionPlatform” file, classified as HATVIBE. This is an encoded VBScript (VBE), which functionally provides the ability to load and execute other files. Furthermore (probably with the help of HATVIBE), additional programs were installed on the victim’s computer: the LOGPIE keylogger, the CHERRYSPY backdoor, and the STILLARCH (aka DownEx) malware.