The xls attachment of the mail, also arrived in Italy, randomly contacts a link from an internal list and downloads the dll, starting the malware infection.
Tecnical analysis by the Malware Hunter JAMESWT
Ursnif / Gozi is now delivered with the IcedID template. The attack is part of the TA551 (Shathak) campaign. The xlsm file in the email zip attachment contacts internal URLs to download the dll and start the malware infection
Ursnif / Gozi now uses the IcedID template to spread. The xlsm file, contained in the email zip attachment, contacts a series of urls from an internal list to download the dll, which starts the malware infection chain.
Moreover, the cybercrime attack is part of the TA551 campaign (aka Shathak). In the past, this has conveyed Ursnif / Gozi and the info-stealer Valak, to switch to IcedID in January 2021. In this case it seems, in fact, that the systems of the two Trojans were mixed.