I can tell you exactly how much time a reverse engineer invests in a file that may or may not be malware: Zero seconds. There isn't even close to enough time to start looking at even a tiny fraction of all the potentially dodgy files that make it past the attention of an AV team. And there isn't also any need for this, we do have very sophisticated automated tools that do pretty much what you describe, create a VM environment and run the file. Well, it does a bit more than just run it, but let's keep it at that.
Usually that's enough to flag a file as "interesting", even if the malware code isn't executed in the normal branch for some reason, and this one managed to escape that detection routine. But this is much like the original trojan horse: A great idea the first time, but won't work again. Ever.
(and yes, I know about the video where they showed that people still fall for that most ancient of all tricks)