Paradise Ransomware distributors were found to be sending emails pretending to be offers, orders, or keys. When opened, these emails were IQY attachments that when opened connect to a remote URL. These attachments contain Excel Web Query files that instruct Excel to execute a command and use its output as a data source in an Excel spreadsheet. These files can also import data from remote URLs containing Excel formulas that can launch local applications, such as PowerShell commands, on the victim’s computer. This can make them harder to detect by security software.
Source: https://www.bleepingcomputer.com/news/security/paradise-ransomware-distributed-via-uncommon-spam-attachment/