Users who click on these links will be redirected to the hacked page, thereby executing malicious JavaScript code in the background and moving the user to a series of pages until downloading a Word file.
Date-redirected URL strings are used for malicious ad campaigns, taking users from maliciously advertised pages to phishing tools, phishing technical support or counterfeit software updates.
Basically, Zeus Panda incorporates SEO spam botnet (including hacked key pages to increase the SEO reputation of other sites) with a unique ad-redirect chain - familiar exploit tool.
The Word file that users download will be similar to what you get through spam emails. The difference is just how it gets into your computer.
This Word file will be based on users turning on the executable macro, starting a script sequence to install a new variant of the Zeus Panda banking trojan, analyzed by G Data here.https://cyber.wtf/2017/08/03/zeus-panda-down-to-the-roots/
Cisco Talos - who discovered the Zeus Panda banking distribution campaign via malicious advertising with this SEO - also released a detailed report, including Google queries that infected pages will display and inform. Add more about the new variant of Zeus Panda.http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html
See also: 10 most effective antivirus software for Windows 2017