Some DOCX samples today had the VBA script payload embedded into OLE objects in the DOCX. To a user this looks like document icons in the Word file, and for file analysis they are in the DOCX zip under word/embeddings (Thanks Brian!). After doing a few of these manaully, and then dynamically fighting with the Office debugger to get the indicators out of them individually, I took a moment to try and automate at least part of the process.
Loop through samples in a directory, yank all of the embedded OLE objects, and scan them for likely VBA script with Yara
$ for file in efax/*.docx ; do unzip -qq -o -j $file "word/embeddings*" ; \
for y in `ls oleObject*`; do echo -n "$file "; \
yara -f -w vbaoleobj.yara $y;done; rm -f oleObject* ; done