There are exploits for pretty much every file format in existence. [1] There are also exploits that work by just having the e-mail arrive in your e-mail client without you having to even open the message. In fact the e-mail may not even reach your computer if you use some corporate proxy which has anti-virus installed. Project Zero revealed just recently a Norton/Symantec flaw where just sending the e-mail is enough for code execution. [2]
[1] Almost none of these are zero day though, so if you're up-to-date you'll be fine.
It is a feature [0].
Microsoft office products allow for "macros" which are Visual Basic code embedded within a document or a worksheet that can be used by developers to add extra functionalities to their MS files (e.g. validate all data in a work sheet after a user clicks a specific button in the worksheet).
Just like any programming language, it could be used maliciously, and there is no easy way to distinguish which macro-enabled file is safe and which isn't (without going through the code yourself prior to enabling the functionality)
For this exact reason docx macros are disabled by default and you have to do some enabling. Presumably there are also more sophisticated exploits that don't rely on the user dismissing multiple security warnings.
These viruses show a blank docx file in macro-disabled mode with only one image, which says "Enable macros to view secure invoice" and shows a picture guide on how to enable macros. Some of them have better instructions than the user guides I write for my users.
Still, some user intervention is required. Assuming you found a vulnerability in Office, it'd be preferable to have a vector where the user just had to open the file.
normally docx viruses are simply VBA scripts but sometimes they exploit an active x embed or image rendering bug.
However other times things like browsers do dumb stuff:
docx files and silverlight files are both just zip files with completely different structures meaning they can live together in the same file.
IE used to look at txt files that contained html tags and say hmm maybe i should display that as html
that meant on sites that accepted txt and docx uploads (a lot of recruitment sites etc) you could upload a txt file that simply embed the docx as a silverlight component. When the admin looked at the txt file it would run the code as the currently logged in (admin) user.
An extraordinary amount of Cryptolocker outbreaks were due to .docx files containing macros.
Yes, it has a default behaviour of "prompt to execute macros", but it happily shows the advice in the malicious document to "please click yes at this prompt to get a free iPhone", at which point the majority of users click "yes".
Is this a bug of MS Word or docx format really has ability to become a virus?