openoffice-4-0-1.exe

OCSClient

CHIP Digital GmbH

The application openoffice-4-0-1.exe by CHIP Digital GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Chip Digital OCSClient installer. With this installer, users are expecting to download the free Apache OpenOffice but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware. The file has been seen being downloaded from secure.download-sponsor.de.
Publisher:
CHIP Digital GmbH  (signed and verified)

Product:
OCSClient

Version:
1.00

MD5:
065332cffd9d67c2caa5ccff24773709

SHA-1:
c78ccc0956e7c2ed3175b734d5877ae277d223c6

SHA-256:
897b4cd35ea99a8cc651c9f61e1f5c0a43b086dfb4e0d91e8437919b4645955e

Scanner detections:
1 / 68

Status:
Potentially unwanted

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/5/2024 6:53:24 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ChipDigital.Bundler (M)
16.7.30.10

File size:
598.8 KB (613,200 bytes)

Product version:
1.00

Original file name:
ocsclient.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Chip Digital OCSClient

Language:
English (United States)

Common path:
C:\users\{user}\downloads\openoffice-4-0-1.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
2/24/2014 4:00:00 PM

Valid to:
2/25/2015 3:59:59 PM

Subject:
CN=CHIP Digital GmbH, O=CHIP Digital GmbH, L=Muenchen, S=Bayern, C=DE

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
0D160B8252A4F0A16FE1255FA0A22E2B

File PE Metadata
Compilation timestamp:
11/27/2013 4:28:37 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:nKWlw1Dx+6ASQFfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2r:n7lw1Dx95QFfXeYU43fiysgfBnnl2r

Entry address:
0x1620

Entry point:
68, 08, F6, 40, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, EF, 4E, 90, D9, AA, 0A, CD, 43, 91, 50, 46, 79, E4, 37, D4, 82, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 4F, 43, 53, 43, 6C, 69, 65, 6E, 74, 00, 6E, 64, 72, 65, 5C, 44, 00, 00, 00, 00, FF, CC, 31, 00, 03, 23, 5A, 55, 3A, 3C, E0, 07, 47, B3, 35, 82, 3C, 05, 78, AE, A7, 47, FF, BF, 0B, 62, DE, 67, 44, A8, 40, C9, 76, C0, F9, 23, 95, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00...
 
[+]

Entropy:
6.0817

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
96 KB (98,304 bytes)

The file openoffice-4-0-1.exe has been seen being distributed by the following URL.

Remove openoffice-4-0-1.exe - Powered by Reason Core Security