[EXTERNAL]

From: Program Assessment and Strategic Monitoring <admin@yasashiite.com>Mar 29, 2026, 6:30 PM552b2a3b...bd4f9a

completedMalicious99%

Malicious99% confidence

The email contains a DOCX attachment themed as a 2026 performance and compensation review for the recipient, a common HR/payroll lure. Deep attachment analysis found an embedded link to an n8n.cloud webhook branded as a secure portfolio/review access page. Browser analysis confirmed the link is malicious: it presents a Microsoft OneDrive-themed verification/download lure on an unrelated domain and redirects to a Zoho-hosted landing page that serves an executable file named statement.exe while advertising a PDF/document. This is a multistage attachment-to-link malware delivery campaign with brand impersonation.

PhishingMalware DeliveryMultistageAttachment-BasedLink-BasedBrand Impersonation

URLs analyzed1

Malicious URLs1

Suspicious URLs0

Documents1

Artifacts3

QR codes0

URL Signals

1 analyzed

Maliciousvmail.app.n8n.cloud

https://vmail.app.n8n.cloud/webhook/verify-download

https://download-statement.zoholandingpage.com/my-workspace/statement.exe

Documents

1 processed

DocxDarrequipment_Staff.docx

1 URLs · 0 QR · 3 artifacts

Authentication

spfPass

dkimNone

dmarcPass

Envelope

From

Program Assessment and Strategic Monitoring <admin@yasashiite.com>

Reply-To

n/a

Attachments