LNK File Analysis: LNKing It Together!

The purpose of this article is to dig into the Shell Link Binary file format powering LNK files and analyzing how these simple shortcuts (LNKs) are potential gateways to havoc.

Shell Link Binary (File Format)

Figure 1: Overview of the Shell Link Binary file format

SHELL_LINK_HEADER

Figure 2: Overview of the SHELL_LINK_HEADER structure

LINKTARGET_IDLIST

Figure 3: Overview of the LINKTARGET_IDLIST structure

LINKINFO

STRING_DATA

EXTRA_DATA

Figure 4: Overview of the EXTRA_DATA structure

Parsing LNK Files

LECmd.exe -h
LECmd.exe -f "C:\Users\X\Desktop\HxD.lnk"
Figure 5: Output of LECmd on a Sample LNK file

The Dark Side of LNK Files

Figure 6: How sweet is it?
Figure 7: Call to ‘hsmta’ with a URL (likely a downloader)
Relative Path: ..\..\..\Windows\System32\hsmta.exe...
Local path: C:\Windows\System32\hsmta.exe
...
-File ==> mshta.exe
Short name: hsmta.exe
Modified: 2021-01-02 03:07:32
Extension block count: 1
--------- Block 0 (Beef0004) ---------
Long name: mshta.exe
Created: 2021-01-02 03:07:32
Last access: 2021-01-02 03:07:32
MFT entry/sequence #: 215068/6 (0x3481C/0x6)
...
Environment variables: %windir%\System32\hsmta.exe
...
28636aa6-953d-11d2-b5d6-00c04fd918d0\30 Parsing Path ==> C:\Windows\System32\hsmta.exe
Figure 8: Nothing suspicious here. Just a cmd.exe call… move on.

What Can We Do About It?

--

--

--

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Side Word Adventure - Svenskt ordspel Hack Free Resources Generator

{UPDATE} Top Quiz Calcio Hack Free Resources Generator

Tomghost — TryHackMe

{UPDATE} 大海賊クエスト島 Hack Free Resources Generator

{UPDATE} Billar Frances Casual Arena Hack Free Resources Generator

HTB Write-up Sunday Port 79 (finger) Enum, SSH pass cracking with panator

How I added Password Resets to my App without requiring Personal Data

{UPDATE} Английский стихи детям light Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

More from Medium

Advent of Cyber 3 Day 16 - Ransomware Madness Walkthrough

Advent of Cyber 2021 — [Day 9] Where Is All This Data Going

[Wireshark]Cyber security analysis and identify common cyber network attacks

Lopsided routing, a stealthy hole punch into FortiGate

No leaks seen in Beacon Home