Since the malware research computers are dedicated and for the most automated systems and have special restrictions implemented, there are some clues to be found in that they will typically include various installation like the Python programming/scripting language, software to analyze proxy dumps, HTTP debuggers and network monitors/sniffers.
These programs associates file extensions and in this case, the attackers checked for the presence of associations by these programs and if found no infection would take place. We have seen this before as well with sandbox aware malware which will exit if it detects a sandbox or even VM.
Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time.
More interesting, the exploit also searched for typical consumer associations for audio/video and even the presence of an OEM logo and various DLLs before infecting the system. For a comprehensive list of checks, look here (pretty impressive).
Additionally, in this campaign the actor was ensuring that Internet Explorer was the default browser (with checks on .html).
For more thorough insight into this very advanced exploit, look here.
Microsoft’s security bulletins: Internet Explorer, Edge.