Someone posted this as a link in another thread. Looks like LE swapped out the .txt locktime file with an excel file intended to leak the users IP. The switch was brought up a few days ago here.
Full write-up is below: https://www.reddit.com/r/DankNation/comments/6pi0et/dont_open_the_xlsx_locktime_file_beacon_image/
What's interesting is that there is NO macro code. The vulnerability is simply forcing the client to load an image from a remote server in France (controlled by LE no doubt).
Any vendor who viewed this file without whonix/tails should clean house immediately.
If you didn't hate Microsoft already....