A form hosted on Intel.com’s “product compliance” page is repeatedly triggering alarms from antivirus and endpoint security products.
Intel’s Product Compliance page contains forms related to “environmental standards” for its products that Intel’s suppliers and manufacturers are required to review.
Vendor spreadsheet marked as malware
Stephan Berger, a senior incident responder at InfoGuard AG first took notice of this occurrence on March 31st, 2022:
The “Download the form ›” link next to a “Material Disclosure Form (MDF)” dated September 22, 2021, led to an XLSM spreadsheet that was being flagged as malware by multiple antivirus engines on VirusTotal.
But a further analysis by Berger revealed that although there are macros and suspicious keywords in the Excel file, “if you analyze the different macro functions more closely, we won’t find any suspicious code that would indicate that the document has been enriched with malicious code,” says the researcher.
This indicates that the large number of detections seen are possible false-positives from security products.
When opening the document, the user is presented with the following screen – ????— Stephan Berger (@malmoeb) March 31, 2022
Intel: ‘a false positive’
Following Berge’s tweets, Intel appears to have replaced the XLSM file.
When reproducing the issue, Security Report observed the file’s checksum (hash) and contents had been changed. The new file, still an XLSM, still triggers some alarms on antivirus products but the rate of detections is far less on VirusTotal: less than 7% of antivirus engines known to VirusTotal are reporting the file as malicious:
Although embedded macros in Excel and Microsoft Office documents are extensively abused by threat actors for conducting phishing campaigns and malware attacks on unsuspecting users, macros do have some legitimate use cases. Macros allow users to programmatically automate simple repetitive tasks in Microsoft Office documents.
Security Report reached out to Intel well in advance of publishing and Intel seems to be not sure at this point:
“We concluded our investigation and determined the malicious alert was a false positive,” an Intel spokesperson told Security Report.