A spreadsheet hosted on Intel.com is flagged as malware—but is it?

A 'Product Compliance' Excel spreadsheet hosted on Intel.com is being mistaken for malware

Ax Sharma April 5, 2022 2 min read

Photo by Lukas on Pexels.com

A form hosted on Intel.com’s “product compliance” page is repeatedly triggering alarms from antivirus and endpoint security products.

Intel’s Product Compliance page contains forms related to “environmental standards” for its products that Intel’s suppliers and manufacturers are required to review.

Vendor spreadsheet marked as malware

Stephan Berger, a senior incident responder at InfoGuard AG first took notice of this occurrence on March 31st, 2022:

A customer reported an AV detection on an Excel document he downloaded from @intel's official website. The detection rate of 21 AV vendors on this document is relatively high. Intel's website, #maldoc, I know what you are thinking. ????
(1/7)#dfir #cybersecurity pic.twitter.com/VRlHkbOoEN
— Stephan Berger (@malmoeb) March 31, 2022

The “Download the form ›” link next to a “Material Disclosure Form (MDF)” dated September 22, 2021, led to an XLSM spreadsheet that was being flagged as malware by multiple antivirus engines on VirusTotal.

The researcher reported seeing multiple antivirus engines marking the Excel sheet as malware (Berger)

But a further analysis by Berger revealed that although there are macros and suspicious keywords in the Excel file, “if you analyze the different macro functions more closely, we won’t find any suspicious code that would indicate that the document has been enriched with malicious code,” says the researcher.

This indicates that the large number of detections seen are possible false-positives from security products.

When opening the document, the user is presented with the following screen – ????
(5/7) pic.twitter.com/sdrfbr9cmO
— Stephan Berger (@malmoeb) March 31, 2022

Intel: ‘a false positive’

Following Berge’s tweets, Intel appears to have replaced the XLSM file.

When reproducing the issue, Security Report observed the file’s checksum (hash) and contents had been changed. The new file, still an XLSM, still triggers some alarms on antivirus products but the rate of detections is far less on VirusTotal: less than 7% of antivirus engines known to VirusTotal are reporting the file as malicious:

VirusTotal engines continue to flag form on Intel’s site as malware (Security Report)

Although embedded macros in Excel and Microsoft Office documents are extensively abused by threat actors for conducting phishing campaigns and malware attacks on unsuspecting users, macros do have some legitimate use cases. Macros allow users to programmatically automate simple repetitive tasks in Microsoft Office documents.

Security Report reached out to Intel well in advance of publishing and Intel seems to be not sure at this point:

“We concluded our investigation and determined the malicious alert was a false positive,” an Intel spokesperson told Security Report.

About the author

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

See author's posts