According to FireEye, cyber-attacks relying on malicious office docs have increasingly leveraged a new technique called VBA Purging. It also noted the availability of a related open-source solution.
The attackers involve VBA source code within the official documents rather than compiled code – to ensure enhanced detection evasion. The malicious documents have VBA code stored in streams of Compound File Binary Format (CFBF) files. This involves Microsoft’s terms on VBA macros storing VBA data in a hierarchy comprising of various streams.
As per FireEye – “Searching with this logic on VirusTotal reveals a large number of malicious documents, meaning this is very prevalent in the wild and in use by attackers.”