Security

A spreadsheet hosted on Intel.com is flagged as malware—but is it?

A form hosted on Intel.com’s “product compliance” page is repeatedly triggering alarms from antivirus and endpoint security products.

Intel’s Product Compliance page contains forms related to “environmental standards” for its products that Intel’s suppliers and manufacturers are required to review.

Vendor spreadsheet marked as malware

Stephan Berger, a senior incident responder at InfoGuard AG first took notice of this occurrence on March 31st, 2022:

The “Download the form ›” link next to a “Material Disclosure Form (MDF)” dated September 22, 2021, led to an XLSM spreadsheet that was being flagged as malware by multiple antivirus engines on VirusTotal.

The researcher reported seeing multiple antivirus engines marking the Excel sheet as malware (Berger)

But a further analysis by Berger revealed that although there are macros and suspicious keywords in the Excel file, “if you analyze the different macro functions more closely, we won’t find any suspicious code that would indicate that the document has been enriched with malicious code,” says the researcher.

This indicates that the large number of detections seen are possible false-positives from security products.

Intel: ‘a false positive’

Following Berge’s tweets, Intel appears to have replaced the XLSM file.

When reproducing the issue, Security Report observed the file’s checksum (hash) and contents had been changed. The new file, still an XLSM, still triggers some alarms on antivirus products but the rate of detections is far less on VirusTotal: less than 7% of antivirus engines known to VirusTotal are reporting the file as malicious:

VirusTotal engines continue to flag form on Intel’s site as malware (Security Report)

Although embedded macros in Excel and Microsoft Office documents are extensively abused by threat actors for conducting phishing campaigns and malware attacks on unsuspecting users, macros do have some legitimate use cases. Macros allow users to programmatically automate simple repetitive tasks in Microsoft Office documents.

Security Report reached out to Intel well in advance of publishing and Intel seems to be not sure at this point:

“We concluded our investigation and determined the malicious alert was a false positive,” an Intel spokesperson told Security Report.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.