The xlsb mail attachment contacts a url and downloads the malware from an opendir, which also contains Ursnif/Gozi and is constantly updated.
Technical analysis by the Malware Hunter JAMMIEST
New phishing campaign on purchase orders. Fake xls attachment directs the victim to a malicious page, where it asks to enter credentials to open the file. Objective: to steal them
New purchase order-themed global phishing campaign. The victim receives an email with an alleged xls attachment.
If opened, however, it is directed to an HTML file that asks you to enter your username and password in order to view the document.
In all likelihood, it is the e-mail credentials. It was not possible to detect what the next step is, as the page is already locked. It is certain, however, that the goal is to steal the user’s username and password with the lure of the false image of the order.