A spreadsheet hosted on Intel.com is flagged as malware—but is it?

Ax Sharma April 5, 2022 0

A ‘Product Compliance’ Excel spreadsheet hosted on Intel.com is being mistaken for malware

close up photo of survey spreadsheet

Photo by Lukas on <a href="https://www.pexels.com/photo/close-up-photo-of-survey-spreadsheet-590022/" rel="nofollow">Pexels.com</a>

A form hosted on Intel.com’s “product compliance” page is repeatedly triggering alarms from antivirus and endpoint security products.

Intel’s Product Compliance page contains forms related to “environmental standards” for its products that Intel’s suppliers and manufacturers are required to review.

Vendor spreadsheet marked as malware

Stephan Berger, a senior incident responder at InfoGuard AG first took notice of this occurrence on March 31st, 2022:

The “Download the form ›” link next to a “Material Disclosure Form (MDF)” dated September 22, 2021, led to an XLSM spreadsheet that was being flagged as malware by multiple antivirus engines on VirusTotal.

Image
The researcher reported seeing multiple antivirus engines marking the Excel sheet as malware (Berger)

But a further analysis by Berger revealed that although there are macros and suspicious keywords in the Excel file, “if you analyze the different macro functions more closely, we won’t find any suspicious code that would indicate that the document has been enriched with malicious code,” says the researcher.

This indicates that the large number of detections seen are possible false-positives from security products.

Intel: ‘a false positive’

Following Berge’s tweets, Intel appears to have replaced the XLSM file.

When reproducing the issue, Security Report observed the file’s checksum (hash) and contents had been changed. The new file, still an XLSM, still triggers some alarms on antivirus products but the rate of detections is far less on VirusTotal: less than 7% of antivirus engines known to VirusTotal are reporting the file as malicious:

VirusTotal engines continue to flag form on Intel’s site as malware (Security Report)

Although embedded macros in Excel and Microsoft Office documents are extensively abused by threat actors for conducting phishing campaigns and malware attacks on unsuspecting users, macros do have some legitimate use cases. Macros allow users to programmatically automate simple repetitive tasks in Microsoft Office documents.

Security Report reached out to Intel well in advance of publishing and Intel seems to be not sure at this point:

“We concluded our investigation and determined the malicious alert was a false positive,” an Intel spokesperson told Security Report.

About the author

Ax Sharma

Ax Sharma is a UK-based security researcher, journalist and TV subject matter expert experienced in malware analysis and cybercrime investigations. His areas of interest include open source software security and threat intel analysis. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

See author's posts

More Stories

architecture chairs city commuter

NS trains halted for hours after IT system ‘failure’

Ax Sharma April 4, 2022 0
Mozilla logo

Mozilla drops Firefox add-on installed by 455,000 for blocking updates

Ax Sharma October 26, 2021 0
judgement scale and gavel in judge office

Insurer Dominion National settles for $2 million in data breach lawsuit

Ax Sharma July 3, 2021 0

Leave a Reply