To help defend against this threat, the latest QBot infection chain has been documented. Emails used in the most recent campaign carry an HTML file attachment that downloads a password-protected zip archive. The password for opening the ZIP file is shown in the HTML file. Inside the archive is an ISO file which contains a .LNK file, a copy of calc.exe, and two DLL files. When the ISO file is mounted, it displays the .LNK file which is disguised as a PDF holding important information. Clicking this shortcut triggers the infection by executing this spoofed calc.exe through the Command Prompt. When loaded, the application searches for and attempts to load the legitimate Window Codecs DLL file. However, it does not check for the DLL in certain hard coded paths, so it will load any DLL with the same name in the same folder as the executable. Threat actors are taking advantage of this flaw to launch the QBot malware. It should be noted that this sideloading flaw no longer works in Windows 10 and later, which is why Windows 7 is the main target.

https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/