W97M.DownLoader.2938
W97M.DownLoader.2938 is a family of downloader trojans identified by Dr.Web. It exploits vulnerabilities in Microsoft Office documents as an infection vector and is distributed via email-borne malicious documents/phishing documents. Its primary capability is to download additional malicious programs onto compromised computers. The malware was listed by Dr.Web among common email threats in Q4 2025 and Q1 2026. Related Office exploit activity mentioned alongside it includes Exploit.CVE-2017-11882.123 and Exploit.CVE-2018-0798.4, which target Microsoft Office vulnerabilities that allow arbitrary code execution. No specific threat actor, industry targeting, or standalone indicators of compromise were provided in the source content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
W97M.DownLoader.2938 A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer. | Exploit.CVE-2017-11882.123 Exploit.CVE-2018-0798.4 Exploits designed to take advantage of Microsoft Office software vulnerabilities that allow an attacker to run arbitrary code.
W97M.DownLoader.2938 A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer. | Exploit.CVE-2017-11882.123 Exploit.CVE-2018-0798.4 Exploits designed to take advantage of Microsoft Office software vulnerabilities that allow an attacker to run arbitrary code.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Downloader trojan family embedded in Microsoft Office documents that exploits document vulnerabilities to fetch additional malware.
Malicious Office document downloader family that exploits Office vulnerabilities to execute code and fetch additional payloads.
Downloader trojan family delivered via malicious Office documents; exploits Office vulnerabilities to execute and then download additional malware.
Downloader trojan family delivered via malicious Microsoft Office documents; exploits Office vulnerabilities to execute and can fetch additional malware onto the victim host.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.