The analysis examines a malicious Word document macro that the author says was associated with Lazarus tooling by archive context and flagged by Thor's APT_MalDoc_SharpShooter_Lazarus_Campaign_Dec18_1 YARA rule. The macro was slightly obfuscated and defined renamed Windows API calls such as VirtualAlloc, RtlMoveMemory, LoadLibraryA, and GetProcAddress, indicating a loader pattern for dynamically constructing and running shellcode. The body shows the analyst extracting the VBA with oledump, renaming variables and functions for clarity, and recovering a large two-dimensional array used to build the payload. The useful defensive value is the macro tradecraft and API sequence rather than a broader campaign narrative, because the excerpt mainly documents shellcode extraction and deobfuscation steps.