Sure. Whether they’re effective and actually able to execute is another question.
A simple way might simply be to put an actual executable in the file instead, and when a user double clicks to open it it’ll run instead. Or there’s stuff to hide in metadata that could exploit particular players, or even some OS preview systems, and get execution that way.
But…..really pretty unlikely. Possible definitely, but you’d have to go through a lot of effort to get hit by something.