The malicious attachment usually comes in the form of a ZIP or RAR archive file, and once unpacked, the files sport a .js or .jse extension.
Clicking on them (i.e. running them) starts a process that results in malware – usually ransomware or a banking Trojan – being downloaded on the victim’s computer from a malware-hosting site.
In general, it’s a good idea never to blindly open attachments sent via email, even if they come from someone you know.
Malware can compromise computers and make them send out malicious emails to all of the victim’s email contacts, and cyber criminals can hijack people’s email accounts via phishing or password-stealing malware and do the same.
Checking with the sender before opening the attachment is a good idea, and even then checking with an appropriate tool or service (e.g. VirusTotal) whether the file might be dangerous is an added step that should become practice for everyone.