The email GZ attachment contains a password-protected zip (not provided in the text), with an exe inside: the malware itself. It is not known what the next payload is.
Technical analysis by the Malware Hunter JAMESWT
New global cybercrime campaign to spread LokiBot uses a system of Chinese boxes and VelvetSweatshop to evade anti viruses. The xlsm attachment downloads a doc file which downloads an executable that starts the malware infection
LokiBot leverages a Chinese box system to spread in a new global malspam campaign. The email contains an xlsm attachment which, if opened, downloads a doc file. This, in turn, downloads an executable that starts the malware infection chain. Moreover, the cybercrime actors behind the attack also use the VelvetSweatshop technique to evade anti virus. The xls document, in fact, is protected by a password but the user is not required to enter it to open the file. The goal is to steal sensitive data from victims, usually companies. Lokibot, in fact, is a banking Trojan with keylogger capabilities, capable of stealing various types of credentials. Furthermore, it can create backdoors to download additional payloads to infected systems.