Mariusz Banach proposes a taxonomy for phishing payloads based on real-world observations of adversary behaviour. He represents it as DELIVERY(CONTAINER(TRIGGER + PAYLOAD + DECOY)) where:
Delivery is the technique used to deliver the package to the victim.
Container is the container format used to package the files.
Trigger is the means to trigger payload execution.