1. The recipient opens the attached ZIP file to read the fake document in it.
2. The document contains a macro or some other active content that will unpack the stenographic content.
This content, is typically the keylogger/backdoor Trojan combination used for phishing attacks.
3. The software resides on the recipient’s PC, harvesting keystrokes and sending them to a rogue server somewhere on the Internet in a few days or a week.