Some more info from (1):
The new Netwalker phishing campaign is using an attachment named "CORONAVIRUS_COVID-19.vbs".
Related:
Also from (2):
APT36 uses two lure formats in this campaign: Excel documents with embedded malicious macros and RTF documents files designed to exploit the CVE-2017-0199 Microsoft Office/WordPad remote code execution vulnerability.
from (3) .Ransomware Gangs to Stop Attacking Health Orgs During Pandemic