The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime, phishing campaign passes from Boa web server

Technical analysis by the Malware Hunter JAMESWT
Last cybercrime phishing campaign passes from Boa web server. The lure is a fake email on an email closure. It contains a link to update the account via a login page. Also this one is false. The only aim is to steal credentials
New phishing campaign target international users. The lure is a message from a supposed Boa web server address (info@boa.org) on a fake email closure. Inside, there is a request to update the account via a link. It directs the victim to an anonymous login page, in which he has to digit the mail address and the password. Once submitted, he’s redirected to Microsoft Office homepage. The cybercrime actors goal is to steal credentials.