{
	"id": "9dbcb9f2-6bdc-4ae7-8e06-aae911244d51",
	"created_at": "2026-04-06T00:19:37.036443Z",
	"updated_at": "2026-04-10T03:20:38.06681Z",
	"deleted_at": null,
	"sha1_hash": "8c762939ff379dd0ec1fce103f0c4453ee57137c",
	"title": "Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 296155,
	"plain_text": "Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and\r\nAgent Tesla Case Studies\r\nBy Yaron Samuel\r\nPublished: 2022-01-25 · Archived: 2026-04-05 15:49:15 UTC\r\nExecutive Summary\r\nBetween July 27 and Dec. 1, 2021, Unit 42 researchers observed a new surge of Agent Tesla and Dridex malware\r\nsamples, which have been dropped by Excel add-ins (XLL) and Office 4.0 macros. We have found that the Excel\r\n4.0 macro dropper is mainly used to drop Dridex, while the XLL droppers are used to drop both Agent Tesla and\r\nDridex. While malicious XLL files have been known for quite some time, their reappearance in the threat\r\nlandscape is a new trend and possibly indicates a shift toward this infection vector.\r\nThe XLL files we observed were mainly distributed via emails that contain price quote luring contents sent from\r\nan abcovid[.]tech email address with the email subject “INQUIRY.” Targets of these emails include organizations\r\nin the following sectors: manufacturing; retail; federal, state and local government; finance; pharmaceuticals;\r\ntransportation; education; and several others across the United States, Europe and Southeast Asia. Furthermore,\r\nsome of the malicious XLL files we have seen abuse a legitimate open-source Excel add-in framework named\r\nExcel-DNA.\r\nThis blog is the first of a two-part series. Here, we take a look into the XLL file attributes, the abused legitimate\r\nopen-source framework and the final Agent Tesla payload. The second part of the series will deal with the other\r\ninfection flows, the XLL and Excel 4 (XLM) droppers that deliver Dridex samples.\r\nPalo Alto Networks customers receive protections against the attacks discussed here through Cortex XDR or the\r\nWildFire cloud-delivered security subscription for the Next-Generation Firewall.\r\nChains of Infection\r\nThe flow chart in Figure 1 shows the two possible chains of events we have observed during our investigation:\r\nA victim receives an email with a malicious attachment.\r\nThe attachment is either a malicious XLL or XLM file.\r\nIn the case of an XLL, when run it will either:\r\nDrop an intermediate dropper that in turn will drop an Agent Tesla payload.\r\nDownload Agent Tesla payload from Discord.\r\nDownload Dridex payload from Discord.\r\nIn the case of an XLM, when run it will drop a VBS downloader that downloads and executes a Dridex\r\nsample from Discord.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nPage 1 of 9\n\nWhile Agent Tesla and Dridex infection chains are not necessarily distributed by the same actor, they seem to be\r\npart of a new trend of infection vectors.\r\nFigure 1. Chains of infection.\r\nWhat Is XLL Again?\r\nXLL is an extension for Excel add-ins. In reality, XLL is just a regular PE-DLL file. The XLL file extension is\r\nassociated with an icon very similar to other Excel-supported extensions. In turn, the average user won’t notice\r\nany difference between XLL and other Excel file formats and can be lured to open it. This may be surprising, but\r\nExcel will gladly load and execute an XLL file upon double-clicking.\r\nFigure 2. XLL icon.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nPage 2 of 9\n\nOnce the XLL is loaded by Excel, it will invoke the export functions of the XLL file based on the defined XLL\r\ninterface. Two of these interface functions stand out: xlAutoOpen and xlAutoClose. These functions get called\r\nonce the add-in gets activated or deactivated, respectively. These functions can be used to load malicious code,\r\nsimilar to the methods Auto_Open and Auto_Close in classic VBA macros.\r\nOne disadvantage of XLL files is that they can only be loaded by Excel with the correct bitness. For example, a\r\n64-bit XLL can only be loaded by the 64-bit version of Excel. The same goes for 32-bit versions. Therefore,\r\nmalware authors have to rely on the Excel version that is installed on the victim’s machine.\r\nLike with VBA macros, Excel will warn the user about the security concern arising from executing the add-in. In\r\nthat aspect, it has no advantage for malware compared to VBA macros.\r\nFigure 3. Warning by Excel while trying to execute an XLL file.\r\nFor the reasons described, XLL files can be a good choice for adversaries seeking to gain an initial foothold on a\r\nvictim machine. An attacker can get code packaged into a DLL loaded by Excel, which in turn may mislead\r\nsecurity products that are not prepared to deal with this scenario.\r\nFigure 4 shows an example of an XLL file in a PE editor. Among other exported functions, we can find the\r\nxlAutoOpen and xlAutoClose functions.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nPage 3 of 9\n\nFigure 4. Excel add-in exports as shown by the PE header editor CFF Explorer.\r\nMalicious Excel Add-In (XLL) Dropper\r\nWe have observed malicious emails with the following XLL samples attached:\r\nSHA256: 7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12\r\nSHA256: fbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0\r\nExcel-DNA\r\nThe XLL sample we encountered utilizes a legitimate open-source framework for Excel add-in development\r\ncalled Excel-DNA. The framework has several features that also suit malware authors. One is the ability to load a\r\ncompressed .NET assembly packaged in the PE resources directly to memory without “touching” the disk.\r\nTherefore, despite being a legitimate framework, Excel-DNA has functionality that resembles malicious loaders\r\nand can be abused as a loader.\r\nExcel-DNA has another attribute that may hinder coverage with Yara, likely unknown even to the malware\r\nauthors. For some reason, many Excel-DNA samples have slightly more than 10,000 exported functions, most of\r\nthem without any meaningful functionality. The Yara PE module export function parsing limit is only 8,192.\r\nTherefore, a Yara rule that targets a certain export name located at an index higher than 8192 will not match\r\nagainst the sample.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nPage 4 of 9\n\nWhen we look at the resources of our Excel-DNA XLL, we can see an XML resource named __MAIN__. This\r\nresource contains information about which module gets loaded by Excel-DNA. In our case, the specified module\r\nwill be decompressed from a resource named JACK.\r\nThe resource will be decompressed using the LZMA algorithm and subsequently loaded to memory.\r\nFigure 5. Excel-DNA resources.\r\nWe have created Python code for the extraction of such assemblies from an Excel-DNA add-in. You can find this\r\nscript on the Unit 42 GitHub repo.\r\nJACK Resource\r\nThe loaded module is a simple dropper. Upon loading the module, the AutoOpen method will be invoked. The\r\nmalicious code in this method drops the final payload executable into %AppData%\\service.exe and executes it\r\n(see Figure 6). It’s worth noting that the module contained in Jack is configurable, meaning in other versions it\r\nmay download a payload instead of dropping it, as well as dropping a real Excel template and executing it.\r\nThe configuration is displayed in Figure 7, which contains the following options:\r\nbDown - Download the payload.\r\ntemplateEnabled - Drop and open an Excel template.\r\npayload - Contains the payload to be dropped.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nPage 5 of 9\n\nFigure 6. Decompiled code of the JACK dropper module with the AutoOpen method, as shown by\r\ndnSpy.\r\nFigure 7. Dropper configuration variables and the final payload contained in a byte array.\r\nFinal Payload – Agent Tesla\r\nSHA256: AB5444F001B8F9E06EBF12BC8FDC200EE5F4185EE52666D69F7D996317EA38F3\r\nThe final payload is an obfuscated Agent Tesla sample. In terms of features, Agent Tesla is extensively\r\ndocumented. Our sample exfiltrates the stolen data to the email phantom1248@yandex[.]com using the SMTP\r\nprotocol. Figure 8 shows the decompiled entry point of our Agent Tesla sample. It is structured in a similar way to\r\nother Agent Tesla samples.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nPage 6 of 9\n\nFigure 8. Agent Tesla’s decompiled main function.\r\nString Decryption\r\nThe Agent Tesla sample stores all of its strings in an encrypted form within a large array of characters.\r\nUpon initialization, the sample XORs each byte of the “large byte array” with the hard coded byte 170 and the\r\nindex (trimmed to byte size) of the character in the “large byte array.” Next, the sample fills an array that stores all\r\nthe strings, by splicing the decrypted array in known offsets and corresponding lengths. For instance, let’s\r\nexamine the eight bytes in the offset 665:\r\nBefore execution (encrypted form) 28, 92, 94, 81, 25, 64, 88, 122\r\nUpon initialization \r\n(after decryption, XORed with the index and 170)\r\n47, 108, 111, 103, 46, 116, 109, 112\r\nASCII form after decryption /log.tmp\r\nThe code below assigns the 53rd member of the string’s array the eight bytes at offset 665 of the decrypted byte-array.\r\nFigure 9. String assignment code.\r\nExamining the decrypted string array reveals the various targets that Agent Tesla aims to steal:\r\nSensitive browser information and cookies.\r\nMail, FTP and VPN client information.\r\nCredentials from Windows Vault.\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nPage 7 of 9\n\nRecorded keystrokes and screenshots.\r\nClipboard information.\r\nWindows Vault\r\nTo steal information from the Windows Vault, it appears that the Agent Tesla authors converted a PowerSploit\r\nscript into C# to build a .NET assembly.\r\nIt uses P/Invoke to call API functions from the vaultcli.dll library. At first, VaultEnumerateItems will be called to\r\nget all available vaults. Next, each vault will be opened using VaultOpenVault. Once a vault is open, the contained\r\nitems will be enumerated using VaultEnumerateItems. Finally, the attributes of the items are read using\r\nVaultGetItem. Agent Tesla records the queries as items in its own list (manually deobfuscated code shown in\r\nFigure 10). The curious reader can find the fully deobfuscated method in Appendix A.\r\nFigure 10. Deobfuscated Agent Tesla code for recording extracted Windows Vault items.\r\nBelow is the list of Windows Vault GUIDs (and corresponding descriptions) that Agent Tesla uses to steal\r\ninformation:\r\nGUID Description\r\n2F1A6504-0641-44CF-8BB5-3612D865F2E5 Windows Secure Note\r\n3CCD5499-87A8-4B10-A215-608888DD3B55 Windows Web Password Credential\r\n154E23D0-C644-4E6F-8CE6-5069272F999F Windows Credential Picker Protector\r\n4BF4C442-9B8A-41A0-B380-DD4A704DDB28 Web Credentials\r\n77BC582B-F0A6-4E15-4E80-61736B6F3B29 Windows Credentials\r\nE69D7838-91B5-4FC9-89D5-230D4D4CC2BC Windows Domain Certificate Credential\r\n3E0E35BE-1B77-43E7-B873-AED901B6275B Windows Domain Password Credential\r\n3C886FF3-2669-4AA2-A8FB-3F6759A77548 Windows Extended Credential\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nPage 8 of 9\n\nFor the recent surge of malware we observed, we analyzed the infection chain that uses Excel add-ins (XLL). We\r\nalso described how the malware author abuses the legitimate Excel-DNA framework for the creation of these\r\nmalicious XLLs. Lastly, we briefly described the final Agent Tesla payload and which information it tries to\r\nexfiltrate from a victim’s system, with a focus on the Windows Vault data. The usage of Excel add-ins in recent\r\nattacks may indicate a new trend in the threat landscape.\r\nIn the next part of this series, we will describe the other infection chain, which involves using Excel 4.0 macros to\r\ndeliver Dridex.\r\nPalo Alto Networks customers receive protections against the attacks discussed here through Cortex XDR or the\r\nWildFire cloud-delivered security subscription for the Next-Generation Firewall.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC:\r\n+65.6983.8730, or Japan: +81.50.1790.0200.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSample hash (SHA256) Description \r\n7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12 XLL dropper\r\nfbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0 XLL dropper\r\nbfc32aab4f7ec31e03a723e0efd839afc2f861cc615a889561b38430c396dcfe\r\nIntermediate\r\ndropper (Jack)\r\nAB5444F001B8F9E06EBF12BC8FDC200EE5F4185EE52666D69F7D996317EA38F3\r\nFinal Agent Tesla\r\npayload\r\nAdditional Resources\r\nAgent Tesla Infostealer - ThreatVector Blog, BlackBerry\r\nAgent Tesla amps up information stealing attacks - Sophos\r\nAppendix A: Deobfuscated Code of the Function That Reads Windows Vault\r\nSee more information on GitHub.\r\nSource: https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nhttps://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/"
	],
	"report_names": [
		"excel-add-ins-malicious-xll-files-agent-tesla"
	],
	"threat_actors": [],
	"ts_created_at": 1775434777,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c762939ff379dd0ec1fce103f0c4453ee57137c.pdf",
		"text": "https://archive.orkl.eu/8c762939ff379dd0ec1fce103f0c4453ee57137c.txt",
		"img": "https://archive.orkl.eu/8c762939ff379dd0ec1fce103f0c4453ee57137c.jpg"
	}
}