The "PAYMENT CONFIRMATION.HTML" attachment of the "PAYMENT SLIP" email points to a fake site from which to download the document. Goal: steal passwords.
The zip attachment of a email about a fake invoice contains an iso file with an exe inside: the malware. The stolen data is exfiltrated via SMTP to an email address.
The ace attachment of the email, that simulates an invoice, contains an exe: the malware. Stolen data is exfiltrated via the Telegram API, the same of the last wave.