Can malware run by a user without admin or sudo privileges harm my system?

Most normal users can send mail, execute system utilities, and create network sockets listening on higher ports. This means an attacker could

• send spam or phishing mails,
• exploit any system misconfiguration only visible from within the system (think private key files with permissive read permissions),
• setup a service to distribute arbitrary contents (e.g. porn torrent).

What exactly this means depends on your setup. E.g. the attacker could send mail looking like it came from your company and abuse your servers mail reputation; even more so if mail authentication features like DKIM have been set up. This works till your server's rep is tainting and other mail servers start to blacklist the IP/domain.

Either way, restoring from backup is the right choice.

Most of the answers are missing the two key words: privilege escalation.

One an attacker has access to an unprivileged account, it's much easier for them to exploit bugs in the operating system and libraries to obtain privileged access to the system. You shouldn't assume that the attacker used only the unprivileged access they originally obtained.

A rm -rf ~ or something alike would be pretty catastrophic, and you don't need root privileges.