Many strains of malware communicate with a command & control (C&C) server which collects information, and can send specific instructions to execute on an infected client. Most often, they communicate directly with the server, but this can be detected and the server traced.
To avoid detection, the malware authors often use an intermediary step which seems innocuous to anyone looking at the network traffic coming from the client. Some have used a Twitter account for communicating. The client sends information to the server by posting an encoded message to a dummy account, and the server’s “tweets” on that account are checked by the client for new instructions.
The malware exploits the document viewer functionality to preview the content of a file on a remote URL. So, essentially the client checks a document posted by the server and executes functions based on the document content. The same document could then be written to by the client to send back results or status to the server.
The communication lines are unlikely to be blocked, since many companies allow, or even rely on Google Docs.
Hopefully Google will come up with a way to block this type of action without disrupting legitimate usage.