That would be a logical explanation.Maybe the macromalware is just a dropper and once executed, it can download the malicious executable that would have a higher ratio on VT.
You changed your nickname again? This one is easier to pronounce. The sample is still in my inbox.I can try and investigate the attachment for you if you'd like and provide some malware analysis insight. I'm a bit bored these days, it'll spice things up.
Send me the attachment download in a PM - if you don't have it, I'll use the VT link and see if I can find the sample myself.