The message gz attachment contains an exe file: the malware itself. Stolen data is exfiltrated via FTP.
Technical analysis by the Malware Hunter JAMESWT
Dridex hides behind a fake Amazon Gift Card to spread in a new global campaign. The link in the messages directs the victim to a url (different for each email) and downloads an SCR, a VBS or a doc, which activate the malware infection
Dridex leverages Amazon Gift Card for a new global campaign. The emails contain the official company logos and invite potential victims to download the card via a link. This, however, when opened redirects the user to a url (different for each email) which in some cases downloads an SCR, in others a Vbs script and other times a Word document. Once the download is complete, you are automatically sent back to the Amazon page. If the downloaded file is executed then the malware infection starts. In the case of the SCR, it is a self-extracting archive that contains scripts that execute the malicious Dll, either in clear text or in another compressed file, sometimes protected by a password. In the case of the VBS, the methods are the same: if executed, it extracts from itself a compressed archive in zip format with the Dll inside. The user, however, does not see anything of the whole process and is forced to think that the fake Gift Card does not work, waiting in vain for a PDF to be opened. Finally, in the case of the Word document, once opened it automatically downloads the random DLL from a list of urls inside the document without the end user having evidence of anything.
Two examples of fake Gift Card email
The doc file image
The content extracted from one of the SCRs downloaded via email link (with dll)
The contents of the zip extracted from the VBS (with Dll highlighted)
The contents of the zip extracted from one of the SCRs with its script and dll
Powershell executed by the DOC where the urls contacted to download the DLL are detected
The urls contacted by the DOC running in anyrun sandbox