Reader Robert submitted a malicious document. It just happens to be a maldoc with the payload hidden in a user form, as discussed in diary entry “Maldoc: Payloads in User Forms” last weekend.
I’m using plugin plugin_stream_o to view the payload.
This output is more user-friendly: it’s a XLS/XLST file with malicious JScript: a downloader:
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.