For the past couple of years, Office documents have largely replaced exploit kits as the primary malware delivery vector, giving threat actors the choice between social engineering lures and exploits or a combination of both.

https://blog.malwarebytes.com/malwarebytes-news/2018/12/new-flash-player-zero-day-used-russian-facility/