Step 1) Start an AMSI ETW trace from an elevated command prompt
logman start trace AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) -o amsi.etl -ets
Step 2) Run your evil maldoc or script. Note: AMSI can capture runtime context of VBA, Excel4, JScript, VBScript, PowerShell, WMI, and .NET (4.8+) in-mem assembly loads
Step 3) Stop the AMSI trace
logman stop AMSITrace -ets
Step 4) If AMSI events were collected, pull out their contents. In most cases, the content will be unicode-encoded (.NET assembly loads being the exception). Here's a super dirty one-liner to dump collected AMSI trace data:
Get-WinEvent -Path .\amsi.etl -Oldest | ? { $_.Id -eq 1101 } | % { [Text.Encoding]::Unicode.GetString($_.Properties[-3].Value) }