The concern is valid. It's a typical technique in spear phishing attacks.

By being stored, it won't affect SQL Server. SQL Server is not opening the document. I know that's not your primary concern, but I'm stating it explicitly for others who might be reading the thread.

There are a couple of ways to handle this:

1) Write the file to a file system where it's scanned before it gets put in SQL Server. Best, but requires retrofitting a solution, most likely.

2) Have a process that looks at files recently posted/updated, extracts them so they can get scanned. Non-intrusive, but allows the possibility that an infected file will be grabbed before it is scanned.

Do realize that AV is not the whole answer. Most of the intrusions we're seeing nowadays have files that successfully pass the AV scans. Therefore, updated and working AVs don't detect them and the computers are still infected. So make sure everything else is up to spec, too.