I came across this Talos article about malware that had been engineered to leverage open source tech, github and others. It looks like these specific malware docs had been targeted to specific end-users. They were even written to avoid sandboxing. If Wireshark or Fiddler (fiddler captures HTTP packets and debugs https packets using SSL decryption) were running then the malware halted.
https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29