See if you can figure out from Avast where the offending file is located. Many apps these days are just WebKit apps (a stripped-down Safari). If the file turns out to be in the Instagram web cache, then you might be onto something. It could be a script on an Instagram site.
But regardless, such a script is only going to run while your web browser is active and on that site. Safari's Top Sites feature complicates this issue somewhat. I don't know anything about the Instagram app, but I highly doubt it would run Javascript while the app wasn't running and you weren't on that offending page.
But a really key issue here is that this is just a script. It may not be running on your machine at all - ever. Avast is just reporting the presence of the file. AV companies like to scan your whole disk and report only anything they find, anywhere, that could be a threat to someone, somewhere. That SPAM email you got 3 years ago and forgot to delete has a Windows virus attached. The only safe move is therefore to corrupt your mail database to keep you from accidentally forwarding that e-mail to your Windows friends and infecting them.
What they are doing is taking advantage of end-users' lack of knowledge about how different operating systems work. In most cases, just having files sitting on your disk is harmless - even if they are really malware! There has to be some specific way to trigger them so they can run. There are only a handful of Mac security apps that only look for those triggers instead of scanning your entire disk.