The attachment, if opened, contacts the first available url from a list within it to download the malware from one of the three Epoch botnets.
Technical analysis by the Malware Hunter JAMESWT
Quakbot hits again with new email and link. The malware infection chain is activated by the xls attachments. It contacts a link that downloads a PNG picture. This one is renamed as .exe and then executed
Quakbot hits again in it’s global campaign. There are new malicious mail on the wild, spread by cybercrime with the usual template and an xls attachment. The objective is to let the victims download and install it. The file contacts a link that starts the malware infection chain. In fact, it downloads a PNG picture that is renamed as .exe and then executed. The malware is a modular banking trojan known to target businesses to steal money from their online banking accounts. It features worm capabilities to self-replicate through shared drives and removable media. The code uses powerful information-stealing features to spy on users’ banking activity.
The fake xls document