DanaBot loader uses HTML smuggling

This email has an unusual way to store contained malware. The email[1] displays polish text which prompts the user to click on a download link. The translated text says "This file can not be previewed. You can download the file."

The <a> tag for this link has a download attribute with the name of the dropped ZIP archive: dokumentacja_28380.zip[2]. However, the referenced data in the href attribute is not downloaded from a URL but saved as a base64 string using the data URI scheme. This is also called HTML smuggling (thanks to Rich Warren who gave me a hint to the blog post).