Should I be worried about AV warning re soffice.bin

DrBob53 · November 14, 2023, 2:50pm

Hi,

I run Malwarebytes on my Windows 11 PC all the time and it has just popped up a warning about some riskware when I opened a document from a friend. Is this something I should worry about. Is it even in Libre Office or does it come from the document I opened? Any advice please. I see similar report in this post:
Is mujweb.cz safe download unexpectedly when looking at Macros

I also have alternate find and replace v1.4.2 3/2017 extension installed. Is it likeley this is the problem?

Malwarebytes

-Log Details-
Protection Event Date: 14/11/2023
Protection Event Time: 14:10
Log File: 90725219-82f7-11ee-8918-94c691903ba2.json

-Software Information-
Version: 4.6.5.293
Components Version: 1.0.2181
Update Package Version: 1.0.77270
Licence: Premium

-System Information-
OS: Windows 11 (Build 22631.2506)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\LibreOffice\program\soffice.bin, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: RiskWare
Domain: mujweb.cz
IP Address: 46.255.231.129
Port: 80
Type: Outbound
File: C:\Program Files\LibreOffice\program\soffice.bin

(end)

Hrbrgr · November 14, 2023, 6:26pm

Have a look to answers to avast:

https://ask.libreoffice.org/search?q=avast%20%23english

EarnestAl · November 15, 2023, 1:32am

If you downloaded and installed the version from LibreOffice.org and you checked the SHA hash on download then you are probably getting a false positive from Malwarebytes.

Check with a reputable antivirus online screen. If it comes back at ok, then the question should be asked at Malwarebytes

DrBob53 · November 15, 2023, 2:36pm

@EarnestAI, thanks for suggestions. I cant see how to check SHA hash, but was downloaded from the official LO site.

Looking at the code in description.xml, and using Google Translate (code is in Czech), I find these lines:

Putting the URL into my browser again triggers a warning from Malwarebytes:
Website blocked due to riskware
Website Blocked: mujweb.cz

v2.6.13 | Riskware: 2.0.202311151316

Malwarebytes Browser Guard blocked this page because it may contain malicious activity.

Not sure who mujweb.cz is (again, blocked by Malwerebytes). Cant find it referenced in any of the extension source code.
The Author’s new site is http://www.volny.cz/macrojtb/0gnu-lgpl_en.html so thats not it. My guess is that someone has hacked the auto-update url and there is a redirect which at some later date might be exploited.

I would also feel a lot happier if all URLs were HTTPS, not HTTP. For the moment I’m glad I have a lifetime subscription to Mawarebytes and will turn off automatic updates for extensions.

mikekaganski · November 15, 2023, 3:03pm

Sigh.
You yourself pointed to Is mujweb.cz safe download unexpectedly when looking at Macros … No it is not hacked, it’s the old site there. It is OK.

EarnestAl · November 15, 2023, 7:26pm

On the download page, click Info just under the download button. The page lists different hashes.

Right click the LibreOffice download and select SHA, compare the hash of the download to the published hash