The infection chain starts with an URL in the email body that downloads a zip archive containing an Excel file that uses XLM 4.0 macros to download the 2nd stage from the compromised web servers.