SANS ISC shares some innovative developments for Excel macro based spreadsheets as shared below.  These new malware designs attempt to work around technical AV defenses & better trick users into opening malicious documents.

https://isc.sans.edu/forums/diary/Malicious+Excel+Delivering+Fileless+Payload/26232/

Macros in Office documents are so common today that my honeypots and hunting scripts catch a lot of them daily. I try to keep an eye on them because sometimes you can spot an interesting one.  The Excel sheet is called ‘bill-and-payment-76399.xlsm.

First, you see that there is no workbook_open() macro present. Nothing is executed automatically, which is always a nice anti-sandbox trick. There is a macro assigned to the “Document review” button and the picture: DocumentReview_click(). Here we have two other nice tricks: The malicious code is hidden in the sheet but instead of using a defined range, a specific enumeration method is use. From the attacker perspective, It’s a nice way to generate new documents on the fly (so, with a different hash) just by changing randomly the cells!