The email zip attachment contains an exe file, the malware itself. This, if opened, starts the infection. Then, it steals information and exfilters it via email.
Technical analysis by the Malware Hunter JAMESWT
WHS RAT is spread by cybercrime bundle with SlimPDF Reader
WSH RAT is been spread by cybercrime bundle with SlimPdf Reader. The vector is a mail with a fake CV attached. The file, in fact, is an exe. If opened, it requires victim to install the Reader. Meanwhile, a JS activates the malware infection chain. It’s a variant of the VBS-based Houdini Worm, first created and spread in 2013. The RAT allows operators to steal browsers and email clients passwords, control the computer targeted remotely, uploading, downloading, and executing files, as well as remote scripts and commands.