LNK File Analysis: LNKing It Together!

The purpose of this article is to dig into the Shell Link Binary file format powering LNK files and analyzing how these simple shortcuts (LNKs) are potential gateways to havoc.

Shell Link Binary (File Format)

The Shell Link Binary Format is what powers LNK files. It describes a structure — say a container to hold objects in — called a ‘shell link’ — jargon for shortcut or an LNK file. The purpose of it is rather simple — to access one data object by means of another object. To do so, it’d have to store some form of reference to the target data object (called a ‘link target’) for the source to create a relation (called a ‘link’) to it.

Figure 1: Overview of the Shell Link Binary file format
  • LINKTARGET_IDLIST
  • LINKINFO
  • STRING_DATA
  • EXTRA_DATA

SHELL_LINK_HEADER

The SHELL_LINK_HEADER is the only structure within a link file which is mandatory for an LNK file to conform to the file format. This is due to the fact that this header contains key information about the target file, attributes pertaining to that file, and other structures such as LinkFlags to identify the presence of other optional headers (structures).

Figure 2: Overview of the SHELL_LINK_HEADER structure

LINKTARGET_IDLIST

Assuming HasLinkTargetIDList is set under LinkFlags in the previous structure, this structure stores references to the targets location(s) on the filesystem.

Figure 3: Overview of the LINKTARGET_IDLIST structure

LINKINFO

Similarly, if the HasLinkInfo attribute is set under LinkFlags in the first header, the LINKINFO structure is populated. This structure holds information useful to resolve link targets and identify their location including the drive volume, serial numbers, labels, and local paths.

STRING_DATA

The STRING_DATA section is majorly controlled by the LinkFlags structure in the SHELL_LINK_HEADER. For example, if the HasWorkingDir and HasRelativePath attributes are set within LinkFlags, you’d be able to see the working directory and a relative path of the link target in this structure.

EXTRA_DATA

Now, the final structure in a link file is the EXTRA_DATA structure which holds all other complementing information about a link target. Although the complete list is available here, a few are worthy of a mention:

  • TrackerDataBlock offers another way to locate and resolve the link target using the Link Tracking Service — which can help identify if the target file was copied or moved. It can also return information such as the MachineID (NetBIOS name) where the target last existed and a MAC address
Figure 4: Overview of the EXTRA_DATA structure

Parsing LNK Files

Isn’t it rather tedious to go through the specification each time? Luckily, our peers have done an awesome job at parsing LNK files and reveal data instantly.

LECmd.exe -h
LECmd.exe -f "C:\Users\X\Desktop\HxD.lnk"
Figure 5: Output of LECmd on a Sample LNK file

The Dark Side of LNK Files

Mostly, threat actors use the command-line feature of LNK files to enable the file to act as a downloader. Let’s take a look at how a typical but malicious LNK file looks to the user.

Figure 6: How sweet is it?
Figure 7: Call to ‘hsmta’ with a URL (likely a downloader)
Relative Path: ..\..\..\Windows\System32\hsmta.exe...
Local path: C:\Windows\System32\hsmta.exe
...
-File ==> mshta.exe
Short name: hsmta.exe
Modified: 2021-01-02 03:07:32
Extension block count: 1
--------- Block 0 (Beef0004) ---------
Long name: mshta.exe
Created: 2021-01-02 03:07:32
Last access: 2021-01-02 03:07:32
MFT entry/sequence #: 215068/6 (0x3481C/0x6)
...
Environment variables: %windir%\System32\hsmta.exe
...
28636aa6-953d-11d2-b5d6-00c04fd918d0\30 Parsing Path ==> C:\Windows\System32\hsmta.exe
Figure 8: Nothing suspicious here. Just a cmd.exe call… move on.

What Can We Do About It?

Writing detection rules is perhaps one of the most efficient way to detect and thwart malicious attempts to execute LNK files.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store