The xlsb mail attachment contacts a url and downloads the malware from an opendir, which also contains Ursnif/Gozi and is constantly updated.
Technical analysis by the Malware Hunter JAMESWT
New Guloader campaign via false purchase orders. The email GZ attachment contains a password-protected zip (not provided in the text), with an exe inside: the malware itself. However, it is not known what the next payload is
Guloader is back in a new purchase orders-themed global campaign. The email contains a GZ attachment, which inside contains one compressed in zip format (protected by password “1”, not provided in the text).
Inside the latter there is an executable file, the malware itself. This has been used in the past to carry different types of information stealers such as Agent Tesla / Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria / Warzone RAT and Parallax RAT. At the moment, however, it has not been possible to trace what the next payload is.