According to a notice by CERT-UA, the emails are sent using compromised accounts and come with a zip file which is actually a polyglot file containing a bait document and a JavaScript file. An executable file, which paves the way for the execution of the SmokeLoader malware, is then launched using the JavaScript code.
CERT-UA attributed this activity to a threat actor identified as UAC-0006, describing this as a financially motivated operation designed to steal login credentials and make fraudulent money transfers.
SmokeLoader was first discovered in 2011. It is a loader whose main purpose is to download or load a more stealthy or effective malware onto infected systems.