Hi,
If you have the audit feature enable (conf file: /etc/zentyal/samba.conf , option: disable_fullaudit), you should see all the traces in the log file '/var/log/syslog'.
Also, you should check the permissions of that file and the directory where is located, just to confirm that everything is correct.
Finally, it might be a Antivirus actions, perhaps this module has detected the XLS file as a threat.
--
“This world is ours, and by the Holy Light we will keep it safe, now and forever".