Is it possible for a file that is non-executable and read-only to run malicious code?

Yes, something just has to execute it. The X flag hints to the shell that it can be directly executed, but that doesn't stop other programs from executing it if they know how.

For example, if you have a file a.sh which is not executable to the shell, you can execute it by calling bash a.sh (which tells bash explicitly to execute it). If you have a non-executable file a.py, you can execute it by calling python a.py. I'd imagine there's also a way to tell the OS to execute a binary ELF file, but I don't know the command off hand.

There are also a whole class of things which don't require you to do anything in particular to make it execute malicious code. PDFs and Adobe Flash files in particular have had some well-known holes which allowed the simple act of reading a file to execute malicious code. There are also some files which, in specific places, and be auto-executed (especially on Windows). Also, if the file is compressed, it may contain a buffer-overflow virus for the decompressor. The file also may be even more malicious, taking advantage of a yet-unknown bug in the file system or something else really low-level.

Bottom line: the only way to guarantee something won't infect your computer is to never do anything with anything.

Let's say you have the file myscript containing the following:

  #!/bin/bash
  echo "Hello, World!"

If you make this file executable and run it with ./myscript, then the kernel will see that the first two bytes are #!, which means it's a script-file. The kernel will then use the rest of the line as the interpreter, and pass the file as its first argument. So, it runs:

     /bin/bash myscript

and bash reads the file and executes the commands it contains. another way of executing a file without execute bit set is:

   #. myscript

a dot followed by a space and then the name of file.

Thus, for bash (or whatever interpreter your script requires) to "execute" the script, it only needs to be able to read the file.

So, for scripts, the execute bit just makes it a bit more convenient to execute it. As long as bash is executable, you can always run bash with the script file as argument

This can be true not only with scripts like the other examples shown on all answers. Basically, if the software that reads a file have a bug, every file is an vector for malicious code execution, using a pretty vast range of techniques(overflow, mem corruption, arbitraty software execution...). Examples:

• Exploit.Win32.AdobeReader.K - This malicious PDF file takes advantage of a vulnerability (CVE-2007-5020)on the URI handling of PDF files. This vulnerability affects IE7, Adobe Acrobat, and Adobe Reader on some platforms.
• Zero Day QuickTime mvhd - The specific flaw exists within the 'mvhd' atom. By providing a malformed version and flags, an attacker is able to create controllable memory corruption, and trigger an arbitrary write operation. By exploiting this, an attacker could execute code in the context of the current user. CVE-2014-4979