The email false xlsx points to a fake site with a zip document. This contains a VBS with a powershell which downloads the malware. C2 is the same as RemcosRAT.
Doctor Web cybersecurity experts: The malware has been downloaded from the official Android AppGallery. Main function: to subscribe users to paid mobile services.
The email xz attachment contains an exe, the malware itself. This is an info stealer, which targets passwords, credit cards and cryptocurrency wallets.
The attack is part of the TA551 (Shathak) campaign. The xlsm file in the email zip attachment contacts internal URLs to download the dll, starting malware infection.