Hier eine interessante Untersuchung:
https://objective-see.com/blog/blog_0x17.html

Conclusions
Overall this malware sample isn't particularly advanced. It relies on user interaction (to open a malicious document in Microsoft Word, (not Apple's Pages)), as well as needs macros to be enabled. Most users know never to allow macros - right!?! Moreover using an open-source implant likely ensures that detection software should detect it - right!?

However let's be nice and give the attackers some credit. By using a macros in Word document they are exploiting the weakest link; humans! And moreover since macros are 'legitimate' functionality (vs. say a memory corruption vulnerability) the malware's infection vector doesn't have to worry about crashing the system nor being 'patched' out.