The ace attachment contains an exe file: the malware itself. The stolen data is then exfiltrated via smtp.
Technical analysis by the Malware Hunter JAMESWT
New global Dridex campaign with couriers and invoices. The xlsm attachment, if open, contacts a random link from an internal list and downloads the dll that starts the malware infection
Dridex is back in a new global courier and invoice-themed campaign. The email contains an xlsm attachment which, if opened, contacts a random url from an internal list and downloads the dll, which starts the malware infection chain. Dridex is a very dangerous banking Trojan used by cybercrime, which has long been the protagonist of campaigns all over the world, especially with a courier theme. The targets are mainly companies, but not only.
The fake invoice
The internal url list, contacted randomly, to download the dll