Compressed email attachments, as different as each message, contain an exe. This is the loader, which contacts a url and should download an unknown malware.
The gz attachment contains VBS which contacts 2 urls of the same domain and downloads scripts, executing the final malware. Data is exfiltrated via Telegram API.
The r19 attachment of an email about a SWIFT transfer contains an exe: the loader, which should contact a link and download the final payload. At the moment, however, this is unknown.