The email xls attachment contacts a single link and downloads the dll, activating the malware infection. Provided that the IP is Italian and not on the blacklist.
Technical analysis by the Malware Hunter JAMESWT
WHS RAT is spread by cybercrime bundle with SlimPDF Reader
WSH RAT is been spread by cybercrime bundle with SlimPdf Reader. The vector is a mail with a fake CV attached. The file, in fact, is an exe. If opened, it requires victim to install the Reader. Meanwhile, a JS activates the malware infection chain. It’s a variant of the VBS-based Houdini Worm, first created and spread in 2013. The RAT allows operators to steal browsers and email clients passwords, control the computer targeted remotely, uploading, downloading, and executing files, as well as remote scripts and commands.