The zip attachment contains an exe file: the malware itself. Stolen data is exfiltrated via SMTP.
Technical analysis by the Malware Hunter JAMESWT
ClipBanker and PhoenixMiner conveyed via fake saved photos. The exe file is redline stealer. This, once opened, automatically downloads the other two malware: a banking trojan and a cryptominer
This, once opened, automatically downloads the other two malware.
It is not clear, however, at the moment which is the vehicle of the initial malicious document. ClipBanker is a banking trojan and info-stealer, used by cybercrime actors to exfiltrate sensitive information from infected computers. PhoenixMiner, on the other hand, is a cryptominer that generates Ethereum and that supports both AMD and nVdidia cards.