The xlsx file uses an Excel CVE to contact an IP and download the payload. The link is not active now, but downloaded several during the day.
Technical analysis by the Malware Hunter JAMESWT
False DHL shipment carries a new Guloader campaign. The email Xz attachment contains an executable, the malware itself. This should load other payloads, but it is currently unknown what they are
A false reservation with DHL to send a package is the new lure of cybercrime, used to spread Guloader in a global campaign. The email compressed attachment in Xz format contains an executable file, the malware itself.
This should theoretically download other payloads, but it is not possible to detect which they are at the moment. In the past, Guloader has been used to convey different types of information stealers such as Agent Tesla / Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria / Warzone RAT and Parallax RAT.