However, Microsoft has pached the vulnerability, so…update!
On unpatched systems, the vulnerability is triggered by opening a document that opens a download warning, followed by a download from a malicious server that sends a dangerous document:
The document is a compiled HTML file with an embedded script: Word accepts and runs the script without producing the warning you would expect to see, and without any request for enabling macros.
The downloaded payload seems to be the Dridex banking Trojan.
Dridex is a kind of malware that specializes in stealing bank credentials: once this malicious program infects the target machine it immediately starts fraudulent transactions using the user’s bank credentials found on the system.
Luckily, on tuesday Microsoft has patched the vulnerability: