Introduction In the first part of this analysis have been presented the two types of macro-enabled documents with powershell downloader spreading via emails in recent campaign. The powershell downloaders and/or the macros were slightly obfuscated, however, it was easy to defeat this obfuscation and reveal their purpose. Unfortunatelly, during my analysis the downloaded content was not present on the involved servers and also in the most cases it was not available even during the analysis on sandboxes like Any.