excel.exe

excel.exe is the Excel application, opening and editing workbooks (.xls, .xlsx, .xlsm, .xlsb). It supports two kinds of macros: Visual Basic for Applications (VBA), shared with the rest of Office, and the older Excel 4.0 macro language (XLM) stored in macro sheets, which attackers favored because many tools did not parse it. Excel is part of Microsoft Office, installed under C:\Program Files\Microsoft Office (or the (x86) path), signed by Microsoft.

Legitimately, excel.exe is opened by users to work with spreadsheets, parented by explorer.exe or launched from Outlook or a browser. Working in a workbook is unremarkable. Excel starting another program is not.

excel.exe is a top initial-access and execution vector (T1204.002). A user opens a workbook and a macro runs the payload (T1059.005). Excel carries an extra wrinkle: alongside VBA, the legacy Excel 4.0 (XLM) macro language ran code from macro sheets and went undetected by many tools for years, making XLM-laden workbooks a favored delivery method. Either way, the recognizable evidence is Excel spawning a shell or script host, excel.exe as the parent of powershell.exe, cmd.exe, mshta.exe, or wscript.exe.

Excel is also a persistence surface (T1137), through macro-enabled templates and add-ins (including XLL add-ins) that load when Excel starts. New or unexpected template and add-in entries warrant review. Because Excel itself is legitimate, the children it spawns, its network activity, and changes to its startup items are what separate ordinary use from compromise.