Software flagged by Google Chrome as malicious

[pnrthomp]

Hi,

Where I work, we had a user download to test out the software. Our security software and Google Chrome both stated that the .dotm file supplied is malicious.

[soegaard]

Which security software?

What is the exact error message from your software?

[pnrthomp]

Hi, This is what we were presented with from SentinelOne: Threat Info Name: WordMat.dotm URL: Path: '\\Device\\HarddiskVolume3\\Users\\ralhammo\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\WordMat.dotm' Command Line Arguments: None Process User: RALTP01\ralhammo Originating Process: WordMat132.tmp SHA1: 7a5fac2ddda01011e570cb7c7746d579552183f9 Initiated By: Agent Policy Engine: ['SentinelOne Cloud'] Detection type: static Classification: Malware File Size: 2547673 Storyline: A84D646663D9045B Threat Id: 2145105904159186936 Please see the attachment for Chrome. We suspect that it’s unsigned. Paul Thompson I.T. Support Specialist University of Waterloo - Dept. of Civil and Environmental Engineering 200 University Avenue West Waterloo, Ontario, Canada N2L 3G1 1-519-888-4567 Ext. 47182 For CEE I.T. related requests, please email ***@***.******@***.***> or go here<https://uwaterloo.atlassian.net/servicedesk/customer/portal/135> . From: Jens Axel Søgaard ***@***.***> Sent: Monday, February 10, 2025 2:28 PM To: Eduap-com/WordMat ***@***.***> Cc: Paul Thompson ***@***.***>; Author ***@***.***> Subject: Re: [Eduap-com/WordMat] Software flagged by Google Chrome as malicious (Discussion #280) What is the exact error message from your software? — Reply to this email directly, view it on GitHub<#280 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHVOA5J4K2VNOJVXOBRHFT32PD4T7AVCNFSM6AAAAABW3BGBYGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMJSGY4DIMI>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

[soegaard]

Waterloo? I thought, you were using Maple.

Anyway, the file WordMat.dotm contains several files. The code for the Ribbons and more.

The question is therefore why it was flagged.

I notice that your info contains:

Storyline: A84D646663D9045B
Threat Id: 2145105904159186936

Where can we lookup what the the threat is?
Is it a specific virus that has been found?
Or was the file just flagged automatically on systems that don't allow users to change their word.dotm file?

[pnrthomp]

Hi, Not everyone prefers that software. Due to various factors here, specifically costs, we have users seeking out open source based and free alternatives. I’ll ask for more information from our security team. Chrome doesn’t state why it blocks this specific installer, just that it detected malware. Our users can change these files, so that can’t be the reason. Paul Thompson I.T. Support Specialist University of Waterloo - Dept. of Civil and Environmental Engineering 200 University Avenue West Waterloo, Ontario, Canada N2L 3G1 1-519-888-4567 Ext. 47182 For CEE I.T. related requests, please email ***@***.******@***.***> or go here<https://uwaterloo.atlassian.net/servicedesk/customer/portal/135> . From: Jens Axel Søgaard ***@***.***> Sent: Tuesday, February 11, 2025 12:43 PM To: Eduap-com/WordMat ***@***.***> Cc: Paul Thompson ***@***.***>; Author ***@***.***> Subject: Re: [Eduap-com/WordMat] Software flagged by Google Chrome as malicious (Discussion #280) Waterloo? I thought, you were using Maple. Anyway, the file WordMat.dotm contains several files. The code for the Ribbons and more. The question is therefore why it was flagged. I notice that your info contains: Storyline: A84D646663D9045B Threat Id: 2145105904159186936 Where can we lookup what the the threat is? Is it a specific virus that has been found? Or was the file just flagged automatically on systems that don't allow users to change their word.dotm file? — Reply to this email directly, view it on GitHub<#280 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHVOA5P2POM6WY2DZQMJQUT2PIZBZAVCNFSM6AAAAABW3BGBYGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMJUHAZTQNA>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

[pnrthomp]

Hi, I heard back from our security team. They stated that when our detection tool notifies them, they verify the results. Here is a link they sent they sue: https://www.virustotal.com/gui/file/b22202cb97f97691b06c7466e7143787e4382738e25f986338a8ca4b493c71b8 A number of vendors caught this. But, it does look like the latest version you offer isn’t being detected as such. Kind regards, Paul Thompson I.T. Support Specialist University of Waterloo - Dept. of Civil and Environmental Engineering 200 University Avenue West Waterloo, Ontario, Canada N2L 3G1 1-519-888-4567 Ext. 47182 For CEE I.T. related requests, please email ***@***.******@***.***> or go here<https://uwaterloo.atlassian.net/servicedesk/customer/portal/135> . From: Jens Axel Søgaard ***@***.***> Sent: Tuesday, February 11, 2025 12:43 PM To: Eduap-com/WordMat ***@***.***> Cc: Paul Thompson ***@***.***>; Author ***@***.***> Subject: Re: [Eduap-com/WordMat] Software flagged by Google Chrome as malicious (Discussion #280) Waterloo? I thought, you were using Maple. Anyway, the file WordMat.dotm contains several files. The code for the Ribbons and more. The question is therefore why it was flagged. I notice that your info contains: Storyline: A84D646663D9045B Threat Id: 2145105904159186936 Where can we lookup what the the threat is? Is it a specific virus that has been found? Or was the file just flagged automatically on systems that don't allow users to change their word.dotm file? — Reply to this email directly, view it on GitHub<#280 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHVOA5P2POM6WY2DZQMJQUT2PIZBZAVCNFSM6AAAAABW3BGBYGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMJUHAZTQNA>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

[soegaard]

Thanks for this! This is very useful.

Code insights

The VBA code defines several functionalities related to mathematical operations and document management within a Word document. A ThisDocument module manages events related to document opening and closing, including prompting the user for exporting modules and creating backups. This module also includes a compile function and management of keyboard shortcuts specific to Mac and non-Mac environments.

This is just what WordMat does.

A ModuleP handles partnership features. It interacts with an external partnership (Eduap) to check for active status and retrieve school information. This module uses Application.Run to interact with external functions related to partnership management. Additionally, it interacts with DLL files, potentially loading objects related to Maxima processes and WebView components, particularly in non-Mac environments.

I did not know about this. No wonder it was flagged. Call home functionality without user consent first
is usually a no-go. Let's see what @Eduap-com thinks.

For context the author of WordMat has recently begun a partnership program where participating
schools can get extra support. In his words:

It takes a lot of work to keep WordMat up to date with the changes that the major IT companies Apple and Microsoft are constantly making, so that it keeps up with developments, both technically and pedagogically. It is therefore necessary that WordMat is also a well-functioning business.

Maybe there is an alternative to the call home solution?
See more here: https://www.eduap.com/da/partnerskab/

A custom MsgBox userform provides an alternative message box implementation with customized appearance and button handling. Another userform, UserFormError, presents error information related to Maxima output and definitions, with options to restart WordMat. Similarly, UserFormShowDef displays current mathematical definitions from the document. There's a Mac-specific UserFormGeoGebraMacInstall, which guides the user through the download, installation, and testing of GeoGebra.

That sounds fine. WordMat uses Maxima and Geogebra to do computations.

The ModuleErrorCheck analyzes Maxima output and categorizes errors based on predefined patterns. This analysis determines whether an error should halt execution and displays the error information in a userform, suggesting a restart.

Ditto.

The VBAmodul handles VBA module export and import, facilitating the transfer of code between documents and creating backups. It includes functions for text conversion (ASCII, extended ASCII, ANSI) for compatibility purposes. Backup functionality for the current document is also provided. A CEvents class manages KeyDown events, enabling form closing with the ESC key.

Sounds fine.

Other modules like WolframAlpha open Wolfram Alpha queries with converted input and WindowsFunctions provides Windows-specific operations. Finally, WebViewModule manages interaction with a WebView component, potentially for CAS operations or displaying web-based mathematical applets. The TestModul module includes test functions to verify various WordMat calculations, including solving equations and differential equations using Maxima or GeoGebra as a CAS engine. Other modules related to UI operations like showing a wait cursor, and user interactions like choosing a CAS are also included, along with utility functions for string conversion and clipboard management.

Also sounds fine.

Apart from the call home part, the description matches what WordMat says on the tin.

[soegaard]

Your information seems relevant for Issue #282

[Eduap-com]

@soegaard Thanks for trying to answer.
The 'call home' functionality in WordMatP is located in the WordMatPlus codefiles and should not interfere with WordMat.dotm.
It downloads a list of approved IP's and checks if your ip is approved for partnership. Nothing is sendt to the server.

WordMat uses a lot of different techniques, that could potentially be used for malicious intent.
I have tried altering many of the techniques, and testing to see which would cause the problems. Even completely crippling the program. I have had very little succes. If you check a file on virustotal.com it can seem ok (few antivirus hits), but a week or a month later it can be blocked by many antivirus programs.

I suspect it is also a consequence of a more hostile world, where cyberattacks are more frequent. The antivirus programs have to more on edge, and it is better to have more false-positives, than lettings one malicious program through.

The only succes I have had is using codesigned files. It is not perfect, but reduces the problem.

As suspected by @pnrthomp the file is not codesigned. This is a feature only available for partnership schools. However the detection is a false-positive, you can manually exempt it from your anti-virus software.