Traditional malware contains the bulk of its malicious code within an executable file saved to the victim’s storage drive. Fileless malware only uses the initial ‘dropper’ file (usually an Office document or something similar) to open up a built-in system management tool like PowerShell and run a short script. The most common method (by far) is enabling and then using the xp_cmdshell procedure. WatchGuard Threat Lab recently identified an ongoing infection that used the latter technique.
Source: https://www.helpnetsecurity.com/2021/01/04/fileless-malware/