Figure 2

Microsoft’s SettingContent-ms has become a recent topic of interest. In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy, a RAT also used by the Necurs botnet. That campaign was mostly targeting banks in different countries across Asia and Europe.

https://blog.trendmicro.com/trendlabs-security-intelligence/settingcontent-ms-can-be-abused-to-drop-complex-deeplink-and-icon-based-payload/