From the Softpedia article: In the case of this recent spam campaign, double-clicking the warning to detect the document's character set launches a troubleshooting window, which is nothing more than a DIAGCAB file. This file contains a series of automated PowerShell scripts which, according to Proofpoint, download and install the LatentBot backdoor trojan. I assume by now, everyone on Wilders is blocking powershell startup.