call ds:__imp__FDICreate (creates context for extracting Microsoft .CAB Cabinet files)
...
push offset pszCabPath
call ds:__imp__FDICopy
You should see memory for the Cabinet (or CAB archive-file format) recognized by their first four bytes (also called their magic number) MSCF
After the FDICopy you'll see extracted files (possibly .exe malware) in the file path that was in pszCabPath
