The malware often uses a PHP file that acts as a delivery tool for downloading the host malware dropper:
This type of infected URL is usually spread through malicious emails or through services like social media.
Malicious “JSC Airline” JScript File
Once a victim clicks the URL and loads it, a JScript file downloads to the victim’s computer.
Source: Scuri check