There are a few cases where simply downloading a file without opening it could lead to execution of attacker controlled code from within the file. It usually involves exploiting a known vulnerability within a program which will handle the file in some way. Here are some examples, but other cases are sure to exist:
- The file targets a vulnerability in your antivirus which triggers when the file is scanned
- The file targets a vulnerability in your file system such as NTFS where the filename or another property could trigger the bug
- The file targets a bug which can be triggered when generating a file preview such as PDF or image thumbnail
- A library file (ex. dll) could get executed when saved to the same directory where an application vulnerable to binary planting is executed from
- The file is a special file that can change the configuration of a program such as downloading a .wgetrc file with wget on Linux
- …and more
Windows will try to extract information from the file to display the icon and preview when looking at the folder inside explorer. One example was the Windows Metafile Vulnerability which could be exploited only by previewing the file in explorer.
Another attack vectors is the builtin Windows Search. To extract the information necessary for a full text search Windows will scan the files in the background and use the file parser to extract the content. A bug in the file parser can thus lead to code execution.
Also, if the path is known to an attacker (i.e. inside the default download folder) opening could be enforced by embedding the file as image, flash file, PDF etc using a file:///...
link inside a web page you visit.
External References
“Can malicious code trigger without the user executing or opening the file?“, StackExchange Security