microsoft-office-2007.exe

OCSClient

CHIP Digital GmbH

The application microsoft-office-2007.exe, “CHIP Secured Installer” by CHIP Digital GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Covus installer. The file has been seen being downloaded from secure.download-sponsor.de.
Publisher:
CHIP Digital GmbH  (signed and verified)

Product:
OCSClient

Description:
CHIP Secured Installer

Version:
7.00

MD5:
12a7171ee4833f225088e15ff27d09c8

SHA-1:
0717a62bf09816c91cd9e1b3049e4637b0f9c848

SHA-256:
f648b1e5fd4bcb644fe63953aed59baedfa4efb8bcd4cff38988a3c2a46006a3

Scanner detections:
1 / 68

Status:
Potentially unwanted

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/25/2024 4:30:18 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ChipDigital.Bundler (M)
16.8.4.13

File size:
938.8 KB (961,360 bytes)

Product version:
7.00

Copyright:
Copyright © 2014 Chip Digital GmbH

Original file name:
ocsclient.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Covus

Language:
German (Germany)

Common path:
C:\users\{user}\downloads\microsoft-office-2007.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
2/25/2014 1:00:00 AM

Valid to:
2/26/2015 12:59:59 AM

Subject:
CN=CHIP Digital GmbH, O=CHIP Digital GmbH, L=Muenchen, S=Bayern, C=DE

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
0D160B8252A4F0A16FE1255FA0A22E2B

File PE Metadata
Compilation timestamp:
7/8/2014 4:40:40 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:V7lw1DxvNXeGQpnmSsR87RAie/kRRU7AAysgfBnnl2h:V7m1DjXeB7RAiej7AAysgpnnch

Entry address:
0x1684

Entry point:
68, 74, F6, 40, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, BE, 94, 86, 5E, 78, 67, 9E, 43, 9D, C2, E8, 8B, A9, F8, 76, C0, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 4F, 43, 53, 43, 6C, 69, 65, 6E, 74, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, FF, CC, 31, 00, 03, 16, 1A, 2D, BC, FF, 5E, B7, 44, B2, 06, 38, F4, C1, 21, 31, 3B, C7, 14, 1B, 51, 28, 94, 81, 40, 89, 85, 2C, 1A, 60, AA, 65, 86, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00...
 
[+]

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
100 KB (102,400 bytes)

The file microsoft-office-2007.exe has been seen being distributed by the following URL.

Remove microsoft-office-2007.exe - Powered by Reason Core Security