Options like the Barracuda, or something like FireEye or Cisco's AMP may detect this, but even doing a full virtualized Windows environment like FireEye does (at rather high cost!) can be tricky. How do you reliably detect in dynamic analysis that Word has unpacked an executable if it doesn't do anything?
Dynamic analysis for malware is a great idea but it can definitely be bypassed, usually very trivially. It comes down to the inherent complexity of the computer. There are a lot of ways to pack executables, and there are a lot of ways to make executables appear to not do anything malicious, so even if you use a full environment for dynamic testing it may not be easy to tell whether or not something bad has happened.
On the other hand, what's being delivered does matter, and detection might be better if it had a real payload rather than a demonstration. A direct payload or a request for a second-stage binary are all things that dynamic or static antimalware systems can try to pick up.
Dynamic analysis for malware is a great idea but it can definitely be bypassed, usually very trivially. It comes down to the inherent complexity of the computer. There are a lot of ways to pack executables, and there are a lot of ways to make executables appear to not do anything malicious, so even if you use a full environment for dynamic testing it may not be easy to tell whether or not something bad has happened.
On the other hand, what's being delivered does matter, and detection might be better if it had a real payload rather than a demonstration. A direct payload or a request for a second-stage binary are all things that dynamic or static antimalware systems can try to pick up.