I need help to uncover the purpose of a malware file received on linkedin RRS feed

  • Question

  • Hi Everyone,

    I received a pdf from a former colleague on Linkedin, stating that she'd like my input on a project she was bidding for. This sounded like a very reasonable request from the person concerned. I replied that I'd look at it shortly and received a thanks.

    On opening the file, the conversation chain was deleted, I can no longer locate my colleague or any mention of her when searching linkedin, and a whole host of computer issues I'd already noticed (group security policy being reset, inconsistencies in machine behavior, domain DNS records updated with unfamiliar entries, desktop virtualization issues....) got a hell of a lot worse.

    In short, I need help to forensically dissect the file concerned (which I was able to save), has anyone experience reverse engineering this sort of thing?

    I ask here because it has object calls that go over and above a typical pdf; calling content from all over the place. Do PM me if you may be able to assist.

    • Edited by Caliden2020 Monday, October 12, 2020 6:31 PM Potentially unsafe content linked
    • Moved by Bill_Stewart Wednesday, October 14, 2020 1:27 AM Off-topic/unanswerable
    Sunday, October 11, 2020 8:55 AM

All replies

  • this is not the best place for security question

    you post your code in the scripting forum and looks like in your question nothing about scripting

    The opinion expressed by me is not an official position of Microsoft

    • Proposed as answer by jrv Sunday, October 11, 2020 9:24 AM
    Sunday, October 11, 2020 9:11 AM
  • Please contact you AV provider for assistance with this. It is not something you can do with scripting.  I am a fairly good analyst and would not attempt to analyze a file assumed to be infected with malware.  This is something only the best experts can do if your AV software cannot detect issues.

    All AV vendors have a site where you can upload a file and have it deeply analyzed for free.

    As noted above.  This is not a forum for your issue.


    Monday, October 12, 2020 11:34 PM