Macro Detection
Hidden VBA indicators and suspicious DOCX relationships.
Live Security Review
DOCX Macro Checker for Suspicious Office Files
Inspect DOCX files for macro artifacts such as vbaProject.bin, hidden macro references, suspicious metadata, risky relationships, and embedded payload clues.
Fast Scan
Immediate risk verdict and findings
Deep Signals
Macros, JS, embedded objects, structure clues
Secure Flow
Temporary storage, signed results, no execution
Security Preview
Threat-first review
Catch macro indicators, JavaScript, launch actions, and suspicious relationships.
Live verdict experience
Best-effort analysis
Macro Detection
DOCX internals scanned for hidden VBA clues.
PDF Safety Review
Object-level inspection plus background review queue.
Processing
Local-first processing
Retention
Temporary retention only
Speed
Instant analysis
Handling
Best-effort review flow
Analyze Now
Drop in a file, get a clear verdict
DOCX + PDF Only
Live Verdict
Waiting for analysis
Upload a file to see a verdict, risk score, confidence, exact findings, and next-step guidance.
No file selected yet.
Pick a DOCX or PDF and the verdict card will light up here with findings, confidence, and next actions.
Why this result?
Top findings, grouped indicators, and a short explanation will appear here after a file is analyzed.
Top Reasons
Placeholder for human-readable findings.
Grouped Indicators
Placeholder for grouped indicators and evidence categories.
Why Teams Use It
Focused security analysis without noise
PDF Safety Review
JavaScript, auto-actions, launch triggers, and obfuscation clues.
Structure Analysis
Clear summaries, confidence, and recommended next steps.
Why Shellax Exists
Built for cautious first-pass document review
Shellax is designed for teams and individuals who need a readable, security-oriented answer before a document reaches a trusted workstation. The goal is to make common document risks easier to understand and route into a safer workflow, not to market certainty where certainty does not exist.
Operational stance
Static inspection first, temporary staging when needed, and no intentional macro or script execution in the normal review path.
Who it is for
Security-conscious operators, IT teams, researchers, and anyone who needs to triage untrusted PDF or DOCX files before opening them.
What it can do
Highlight macro artifacts, embedded objects, suspicious metadata, PDF action triggers, and other signals that justify escalation or quarantine.
What it cannot do
Guarantee safety, replace endpoint defenses, or substitute for isolated malware analysis when a document shows stronger evidence of active content or payload delivery.
Why document analysis matters
Most risky files look ordinary before they are opened.
Document attacks often arrive disguised as invoices, resumes, reports, or contracts. A lightweight first-pass review helps separate routine files from ones that deserve a slower workflow before they reach a trusted device.
A practical review layer
Use the analyzer to inspect suspicious files, then follow the safe attachment workflow or browse the guides library for format-specific handling advice.
Related Guides
Learn how to review suspicious files safely
How to Check If a PDF Is Safe
Learn the warning signs to inspect before you open a suspicious PDF attachment.
Detect Malicious Macros in DOCX
Inspect Word files for hidden VBA clues, suspicious metadata, and embedded active content.
How PDF Malware Works
Understand JavaScript, launch actions, embedded files, and the PDF attack chain.
Safe Attachment Workflow
Build a repeatable process for triaging suspicious attachments without opening them first.
Next Step
Ready to analyze your file?
Start with the analyzer, then use the linked guides if you need more context on PDF behavior, Office macro risk, or safe attachment handling.
Open Source Engine
DocDeep is powered by Shellax
DocDeep is an open source, local-first document analysis engine powered by Shellax and designed to inspect PDF and DOCX files for suspicious indicators.
Core capabilities
- Local-first document analysis
- PDF and DOCX structural analysis
- Macro and active content detection
- Rule-based detection engine
Why this result happened
The verdict is based on visible document indicators
Shellax looks for structural evidence such as macros, JavaScript, embedded objects, suspicious action dictionaries, metadata anomalies, and binary-heavy content. Those signals are grouped into a simple verdict so the file can be routed quickly.
If a file has no strong indicators, the result tends to stay in a low-risk band. If it contains active-content clues or multiple supporting signals, the verdict shifts toward suspicious or dangerous handling.
For more context on specific warning signs, use the result explanation panel above or review the guides library.
Recommended actions
What to do after you get a result
- Low-risk files should still be handled carefully if the sender, context, or business request looks unusual.
- Suspicious files should be reviewed in a slower workflow with secondary verification before anyone opens them on a trusted workstation.
- Dangerous files should be quarantined and escalated instead of being forwarded into a normal user workflow.
- Use the safe attachment workflow and contact page for next-step guidance.
How Document Malware Works
Document attacks usually hide inside normal business workflows
Malicious document delivery often relies on routine behavior rather than obvious malware prompts. A file arrives as an invoice, resume, report, or contract, and the attacker expects the recipient to open it in a trusted application before anyone inspects the structure.
In Office-style documents, the risk may come from macro components, suspicious relationships, embedded objects, or social-engineering text that pushes a user to enable active content. In PDFs, the risk often appears as JavaScript, launch actions, auto-run behavior, suspicious attachments, or heavily obfuscated content streams.
Shellax is built around that threat model. It looks for indicators that suggest a document is trying to do more than present text and layout.
What This Scanner Checks
Targeted static checks for the highest-value signals
- DOCX structure for `vbaProject.bin`, hidden macro references, suspicious relationships, embedded objects, and metadata clues that commonly appear in risky Office attachments.
- PDF structure for JavaScript, launch actions, auto-action dictionaries, suspicious embedded filenames, anomalous binary-heavy content, and obfuscation patterns.
- File identity and cached result reuse so repeated uploads of the same document do not create inconsistent answers.
- Optional background verification layers such as ClamAV, YARA, queue-based deep review, and telemetry when those integrations are available in the deployment.
Understanding the Results
Use the verdict as a routing signal, not a promise
Low risk means Shellax did not find strong active-content evidence in the checks it performed. That can support routine handling, but it does not prove the file is harmless.
Suspicious means the document contains signals that deserve manual review, secondary verification, or a more isolated workflow before the file is trusted.
Dangerous means the file shows multiple high-risk indicators or direct tool hits that align with unsafe active content, payload delivery, or known malicious patterns. Those files should be quarantined.
Limitations of this scanner
Automated document scanning always has blind spots
Static analysis is valuable because it avoids normal file execution, but that same safety constraint means some behaviors can only be inferred rather than observed directly. Novel payloads, socially engineered workflows, or environment-specific exploits may not be obvious from structure alone.
Some suspicious files will be benign, and some malicious files will look quiet. That is why Shellax is positioned as a first-pass risk review tool rather than a sandbox, antivirus replacement, or compliance guarantee.
To understand the operating model and public trust disclosures, review About and Trust Center.
Safe Workflow
What to do after a suspicious result
1
Stop normal handling
Do not open the document on a trusted endpoint just to check it quickly.
2
Preserve context
Record where the file came from, who sent it, and why it was received.
3
Quarantine when warranted
Move dangerous or unclear files into an isolated review workflow.
4
Corroborate signals
Use malware scanning, endpoint telemetry, sender validation, and analyst review together.
5
Document the decision
Keep notes about what was found so repeat patterns become easier to spot later.
Trust & Handling
What Shellax does and does not do
No intentional execution
Shellax is designed to inspect document structure and risk indicators without intentionally running macros, scripts, or embedded payloads during the normal analysis flow.
Temporary storage
Uploads may be staged temporarily so scanning, caching, and optional deep review can complete. Cached results are typically retained for up to 1 day before cleanup.
Best-effort verdicts
A result helps prioritize review. It does not guarantee a file is safe, clean, or suitable to open on a trusted workstation.
Escalation still matters
If findings look suspicious or dangerous, quarantine the file and escalate it into a controlled review workflow before anyone opens it normally.
FAQ
Quick answers before you upload
Can a normal DOCX contain macros? +
A standard DOCX should not normally include VBA macro components. If macro-related artifacts appear, the document deserves additional review.
What counts as suspicious metadata in a DOCX? +
Metadata that references macros, shell commands, scripts, payloads, or prompts such as enable content can indicate social engineering or hidden active content.
Should I trust the file extension alone? +
No. Safe review depends on the archive contents and relationships, not just the visible filename or extension.