There is little official documentation that can be searched for. The earliest references indexed by Google seem to come from 2012 but not much earlier.
There is more information and a further call for collaboration or corrections on what is documented on the Pishme GitHub README.
The structure is partially reversed engineered by phishme on GitHub. Once decoded from Base64 the magic number of the format is: 41 63 74 69 76 65 4d 69 6d 65 00 00 - 'ActiveMime' + null terminators.
- Python Amime: Library for working with ActiveMime
- XML: A New Vector For An Old Trick describing malware distribution with an ActiveMime binary payload
- Evolution of Dridex
- Decalage Python code for extracting data from ActiveMime
- Cyren Article on ActiveMime
- Malicious Macros Evades Detection Using Unusual File Format
- Early MSDN forum post asking about ActiveMime