The gz attachment of the “Payment Advice - Ref: [HSBC1057029141] /RFQ Priority Payment / Customer Ref: [PI10771QT90]” email contains an exe file: the malware.
The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
The attachment contains a Tar file with an exe: the malware. Stolen data is exfiltrated via Telegram API to the same “Nieuwe bestelling–100 STUKS ELK” campaign C2.