Malicious Microsoft Office documents with malicious macros are commonly distributed through phishing emails containing Word and Excel documents with macros. If a Windows computer becomes infected and you are trying to find its source, a good place to check is for malicious documents that have been allowed to run on the computer. When a user opens one of these documents in Microsoft Office, depending on the protection of the document or if the document contains macros, Office will restrict the functionality of the. document unless the user clicks on ‘Enable Editing’ or ‘Enable Content’ buttons.
Source: https://www.bleepingcomputer.com/news/security/windows-registry-helps-find-malicious-docs-behind-infections/