As Mac systems grow in popularity, so does macOS malware - whilst macOS malware analysis is still lagging behind - particularly when we deal with malicious behaviors in the user space. To amend this shortcoming, we have come up with macOS analyzer for malware – Mac-A-Mal: a system for behavioral monitoring of components at kernel level which allows analysts to automatically investigate malware on macOS, broadly extending what is available today with Cuckoo sandbox. By leveraging on kernel-level system calls hooking, the framework is able to detect and mitigate malware anti-analysis techniques. In particular, it combines static and dynamic analysis to extract useful information and suspicious behaviors from malware binaries, their monitored behaviors such as network traffic, malware evasion techniques, persistence methods, file operations etc., without being detected by common Mac malware evasion techniques. We have used the framework to evaluate thousands macOS samples to estimate how widespread Mac malware variants and families are today (thanks to VirusTotal). Mac malware in 2017 demonstrates a drastic improvement by using evasion techniques. Overall, we used our systems to classify the dataset and found that 85% of collected samples are adware, 49% of classified variants belongs to backdoor/trojan. By hunting Mac samples on VirusTotal, we found an undiscovered-so-far organized adware campaign which leverages several Apple legitimate developer certificates, few other undetected keyloggers, and trojan samples participating in APT32 OceanLotus targeting Chinese and Vietnamese organizations, as well as hundreds of malware samples which have otherwise low detection rates.